NEWS FROM THE LAB - Tuesday, December 9, 2008

Bank of America's New Banking Site Posted by Patrik @ 19:22 GMT

As Christine mentioned earlier today in her post regarding Koobface and how it uses fake Flash players to trick people into downloading malware, a smart move is to only download Adobe Flash player from… Adobe!

Here's another example of a social engineering scam, this time using a new Bank of America online banking system.


Clicking on the link leads to a fake BoA page with a "video" showing what the new site looks like. To view you have to download the updated Flash player.


If you run the fake Flash player it downloads another file from premierinet.com which in turn is a trojan that hides itself with a rootkit, steals confidential information and posts it to a server in Ukraine.

Again, we recommend that you only download Adobe Flash Player from Adobe's website here.

Updated to add: The fake Flash player that the "BoA" site is providing is a new variant of the one detected on November 5th, used by the Obama election spam.

Both the Obama and the BoA variants post their stolen data to IP addresses within the same block, they're almost identical.

Update 2: Domains we've seen used to host the fake BoA page:

– demobankofamerica .com
– bankamericademo .com
– serverdemobank .com
– demoversions10 .com

Subjects of the spammed e-mails:

Bank of America – Always Free Customer Service Demo Account, Try for FREE
Bank of America – learn how to trade with the Demo Dealer Station below
Bank of America – We Give You The Tools You Need. Try A Free Demo Account!
Bank of America – New Demo Account, Try for FREE
Bank of America – Demo Account Set Up
Bank of America – Demo account
Bank of America – Open A Demo Account
Bank of America – your Demo Account username and passcodes will be generated and emailed to you.
Bank of America – DEMO ACCOUNT not working