Bogus BancorpSouth emails lead to exploit kit

Fake security related notices ostensibly coming from BancorpSouth, a bank holding company operating mainly in the South of the United States, have been hitting users’ inboxes.

Dear Account Holder,

This message is mailed to you regarding your online baking user passwords has been expired.

Set up a new user password by following these step:

1. Log into your online banking by our secure link for Expired Passwords and entering the temporary password below.
Your temporary password is: nb42xStg765bnk

2. You will then be prompted to change your password.
The temporary password will expire in 24 hours.

Despite the poor wording, some users just might follow the offered link. When they do, they are put through a series of redirects and finally land on a webpage hosting the popular Blackhole exploit kit.

If it manages to exploit a specific Java vulnerability, the users is served with a Trojan that can read cookies and history, modify browser proxy settings and browser network configurations, and more.

Curiously enough, it is also able to terminate itself if it detects a debugger running on the targeted machine.

“This email campaign is rather large with these malicious links hosted by over 100 different domains currently. By 10 am we had quarantined just over 1 million of these messages,” say the researchers.

“Despite Bancorp South’s ample footprint in the southern states, it is a bit odd to see such a large campaign targeting a relatively small target audience. The group responsible for sending these messages have been very focused in the past few weeks and are keeping their social engineering tactics fresh. This could explain why they are targeting a smaller bank chain.”