Email ruse uses Federal Reserve Bank name to drop PDF exploit
Ivan Macalintal, research manager at Trend Micro, told SCMagazineUS.com that honeypots have captured about 1,000 of the socially engineered emails in the past 24 hours. The messages claim to come from the Federal Reserve Bank and warn recipients that a fake phishing scam is in progress.
The bogus letter informs readers that "definite restrictions will be applied to all Federal Wire transfers from November 10 till November 18." Recipients are provided with a link to visit for more information.
However, that link leads to a malicious site that attempts to load a PDF exploit in the background, Macalintal said. The attacks attempt to take advantage of users who haven't updated to the lastest version of Adobe Reader.
At first, the user sees a fake Federal Reserve Bank site but after a few seconds, the page redirects to a site pushing pornography links, he said. Then, the malicious PDF file attempts to download.
Email security vendor Marshal's TRACE research team said in a blog post (which did not mention the PDF exploit) that the spam campaign's intention appears to be to advertise the porn sites.
"The delay on the page loading may be an attempt to obfuscate the site's real purpose, perhaps from a security researcher who casually follows the link and doesn't initially see anything wrong with it," the blog said.
Macalintal said that given the current fiscal climate, in which many users are concerned about their finances, malicious code writers may extend their phishing runs to target commercial banks and other financial institutions.
"It could be the start of something more widespread," Macalintal said. "There are lots of PDF exploits being seen nowadays."