Posted December 17, 2014
New Trojans targeting banks in South Korea have been using Pinterest as a Command and Control channel
Last summer Trend Micro observed online banking Trojans that were targeting South Korean banks. Now, compromised sites that contain exploit kits are delivering banking Trojans to site visitors. Some of the banks being targeted include Hana Bank, Nonghyup Bank, the Industrial Bank of Korea (IBK), Shinhan Bank, Woori Bank, Kookmin Bank, and the Consumer Finance Service Center. Once a customer has been infected with Malware: Software that is intended to damage or disable computers and computer systems. and is redirected to a Phishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. site that looks like a legitimate banking website, the criminals are able to steal their credentials.
One interesting characteristic of this particular Trojan is that it is using Pinterest as its command-and-control server to redirect users to various spoofed banking sites:
Photo courtesy of Trend Micro
These comments show that when the letters are replaced with dots, the code becomes an IP address for the phishing page server host.
To demonstrate how the Cyveillance Cyber Threat Center can be used to add context to data points found with traditional anti-virus and anti-malware services, we entered one of the IP addresses, 184.108.40.206, into our geolocation tool and found the following:
- The IP Range 70.39.104.* is being run out of Cleveland, Ohio by an ISP
- Most of the domain names in this range contain Chinese content
- At least two instances of malware can be located on a website hosted in this range
With this added context, a security team could be confident in blacklisting this IP address and possibly the entire range because it has a recent history of hosting malware, and seemingly does not contain any websites that an employee of a U.S.-based company would need to access for normal business activities. Additional investigations into owners of IP ranges and domain names should be part of due diligence investigations before contracting with any ISP-related vendors.
It’s not surprising that criminals have figured out another way to use social media as an attack vector. It will be interesting to see if this type of malware spreads to other social networks, as well as how attacks are tailored to specific platforms.
Learn more about how to proactively monitor these types of threats with the Cyveillance Cyber Threat Center.