Attention! Dear Depositor -- the FDIC (Federal Deposit Insurance Corporation) is not sending you an e-mail with a mysterious ZIP file attachment. If you receive such a message claiming to be from the FDIC, don't be fooled. The e-mail is a phishing attack, and the attachment is actually malware.
Fred Touchette has some more details about this phishing scam in an AppRiver blog post. Touchette explains, "We often see, as everyone is aware of, malware campaigns that pretend to come from major banking institutions, but I can't recall having seen any that come from their insurers before."
That is true. Phishing scams targeting specific banks or credit unions are fairly common. This threat -- by virtue of claiming to be from the FDIC that insures the deposits of virtually all financial institutions -- has a much larger pool of potential victims. Basically, rather than only targeting Bank of America, or Wells Fargo, or some other bank, this phishing scam targets anyone with a bank account.
Unfortunately -- at least for the attackers -- the message is a bunch of grammatically error prone gibberish. "In order to inform you about the news concerning current business activity of the Company on a timely basis, please, look through the last important changes in current regulations of endowment insurance procedure" doesn't even make sense, so hopefully it is unlikely to lure too many naïve victims to actually open the file attachment as directed.
Touchette describes the actual threat behind the FDIC phishing attack. "In actuality the attachment is a Trojan downloader, one we've become very accustomed to -- Oficla. Oficla is responsible for doing the hard work, which is tricking you into installing it and opening up the backdoor and letting in all of its ne'er-do-well buddies. In the past these have included everything from scareware viruses to data loggers such as ZeuS and everything in between."
With malware and cyber crime being such big business, you would think the attackers could afford to hire some ethically-challenged individuals fluent in English and perhaps do some grammar-proofing and spell-checking of these messages before launching the attack. I'm not trying to help the bad guys, but come on -- this phishing message is so bad it wouldn't fool my eight year old.
The attackers get some bonus points for thinking outside of the box and attempting to spoof the FDIC rather than a specific financial institution, but they fail miserably in the execution department.
Let's sum up with the obligatory warnings. Neither your bank, nor the FDIC will send you an e-mail -- poorly worded or otherwise -- directing you to open up some cryptic file attachment. Just don't do it. If you ever have reason to feel that such a message could potentially be legitimate, delete the e-mail anyway and contact your financial institution directly.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.