Is Federal Reserve Delivering PDF Exploit???

Security researchers at Trend Micro have released a report warning everybody against a new scam pretending to be from the US Federal Reserve Bank. The most interesting thing here is that the spammed messages direct users to a web page which warns of a new phishing scam targeting users.

This spam, which has been circulating since last week, comes with a fake Federal Reserve letterhead. The message itself expresses a warning that "a large-scaled phishing attack started and has been still lasting." The two things that should make recipients suspicious about the received email is rather poor grammar and two links that recipients are prompted to click for more information.

Below you can see the screenshot of a sample email:

Trend Micro notes that the malicious web sites are using the following domains:

• 1federalreservebank.com
• 1federalreservebank.net
• connection-secure.net
• fdicbanks.net
• fdicorp.org
• fdic-secure.org
• fed-reserve.com
• fed-reserve.net
• federalreserveus.com
• federalreserveus.net
• fedreservebank.net
• fedreservesystem.com
• fedreservesystem.net
• tdbanks.net
• treasurydepartment.net
• us-bankconnect.net
• us-bankers.com
• us-bankers.net
• us-securebanking.net
• usbanker.org
• usbanksecurities.net

These domains resolve to a single IP address with a relatively short TTL (time to live) of 3600 seconds. This means that after clicking on the provided link the user is briefly navigated to a fake Federal Reserve page which then tries to download a PDF file, supposedly containing further details on the attack. However immediately after that the user is forwarded to a pornographic web site and a PDF exploit is downloaded into the user's system.

Trend Micro advanced threats researcher Joey Costoya notes that the PDF file is loaded with malicious JavaScript. "The PDF JavaScript is designed with downloaders of downloaders that come from different internet locations. The final component (at the end of downloader chain) the Trojan infects and automatically restarts the victim PC."

After this restart the infected computer will launch out regularly malformed HTTPS transactions (with a 6.5 seconds interval) to a particular server. Such HTTPS traffic lacks the SSL handshake, used by normal SSL websites. Therefore, the transaction is considered as malformed. However, the traffic is somehow still encrypted.

As a result, everybody is once again warned not to follow any unsolicited links, to use caution when visiting untrusted websites and to keep their anti-spam filters, as well as anti-virus software, up-to-date.