Since banking fraud is getting bigger and bigger, users who use online banking need to be careful on using online transaction.
2. Spreading path and symptoms of infection
Recently founded malicious file is designed to aim online banking user of HSBC. When this malicious program works, it will send account number, password and inputted personal information to certain IP with using SMTP(Simple Mail Transfer Protocol).
This malicious file is named "Modulo_HSBC.exe", and its preference is also disguised as a banking information("HSBC Bank Brasil S.A. - Banco Múltiplo").
Upon executed this malicious file, it will pop-up message box "Please wait a moment while we configure the application for registration to start updates."
* Network transaction information on executing malicious file
When the waiting message "Modulo_hsbc" is closed, "wait while the server connect HSBC" message will appear.
Next phase, user can input "CPF" information.
Next phase, user can input 4-digit password.
In this page, HSBC requires user to input 7-digit password.
Following figure requires information for online banking.
End of the process.
INCA Internet Emergency Response Team figured out that the inputted information will be leaked to certain web site with using SMTP.
* Packet transaction data information
- Submitted information is recorded as following.
- Destination IP address is located in United States.
3. How to prevent
To use PC safely from security threats of these malicious files, we recommend following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.