We've seen several attempts in the past for criminals to try to get your passwords by the social engineering trick of a "Digital Certificate". Beginning in today's spam we're seeing another round that seems more directed at existing users of the Bank of America Digital Certificate program. Previous Bank of America Digital Certificate scams were covered in this blog in our stories including: Banking Digital Certificate Malware in Spam, Bank of America Demo Account - DO NOT CLICK, and LaSalle acquisition by Bank of America spreads malware.

The current email warns that "The Digital Certificate for your Bank of America Direct online account has expired." and provides a link to a website to update the information. All of the links on the website shown below point to the real Bank of America Direct Digital Certificate program, except the "CONTINUE" button.

According to the WHOIS policy for .EU domains, I am not allowed to share with you in my blog the patently false registration information for the domain 1il1il1.eu.

You would have to WHOIS the information yourself from: http://www.eurid.eu, which is probably part of why criminals like .eu domains so much.

We actually received more than fifty copies of this new scam, with the earliest arriving May 29th at 9:30 AM. For most of them, several domains are used, and for some we have multiple copies, with fjtiili.com, hftiili.be, fgtsssa.com, and idfsre.com being the most popular among those we've seen in the spam:

lstrass.com
nfillil.net.sg
fjtiili.com
fgtsssa.co.uk
idfgtid.li
idfgtid.cz
idfsre.com
hftiili.be
fgtsssa.com

Continued @ CyberCrime & Doing Time

Bank of America certificate scam propagating Waledac, Virut
Angela Moscaritolo
June 02, 2009

The SANS Internet Storm center said in a post on Monday that a quick analysis of this malware showed “probable signs” of Waledac -- the notorious worm capable of harvesting and forwarding password information and receiving commands from a remote server. Sean-Paul Correll, threat researcher for Panda Security confirmed to SCMagazineUS.com on Tuesday that the threat is being detected as Waledac.

Marshal8e6's Hay said that after initial analysis of this threat, one of the components of the attack looks like a variant of Virut, which is capable of downloading anything the command and control server wants to install on the infected system, Marshal8e6 said in a recent blog post.

"If the user is compromised by Virut, then potentially all sorts of other malware may end up on the PC,” Hay said.

In February, Microsoft warned that a particularly nasty variant of the Virut virus had been unleashed. The virus was responsible for shutting down the court system in Houston after about 475 of the city's 16,000 computers were infected.

Continued @ SCMagazine