A phishing campaign has recently been seen targeting a major financial services provider in the United States, infecting the victim with a keylogger to steal important information.
As Proofpoint reports, the attack is narrow in scope, sending only a small number of malicious emails to a single organization. Despite this, it targets a financial institution, a popular category for cybercriminals. Aside from possibly getting a large amount of money, they can also exploit customers" information, and use them for their own business.
The phishing scam uses Microsoft Word documents, like many others. While many employ innocent-looking macros as vectors to download the malware, this one uses a Visual Basic Script as the agent to launch the malicious attack.
Upon opening the said Word document named "info.doc," users will be greeted with a message saying that they need to install Microsoft Silverlight in order to view the content, as shown above. Proofpoint notes that clicking on the image will reveal not a link, but a Visual Basic script file which contains a keylogger.
When this software is executed, it will be able to record every keystroke of the victim, potentially putting their personal and financial information at risk, including their privacy. It will then send the collected data to two Gmail addresses. They keylogger used is currently unidentified, but it was found that it is written in the Autolt scripting language, and uses a tool like Lazagne password recovery.
Proofpoint notes that while the phishing scam is simple compared to others, the use of keyloggers inside purported legitimate Word documents represents a shift from the "tried and tested" method of tricking users into enabling macros.
Indeed, this is proof that cybercriminals have been upping their game when it comes to developing malware. With that in consideration, it pays to be always careful of the email we open, and the attachments we execute, as they are the usual methods of installing malicious software into our computers today.
Source: Proofpoint via ZDNet