Phishing Campaign Uses FTP Links to Deliver DanaBot Banking Trojan
A phishing campaign that delivers malware designed to steal banking data and other private information was discovered targeting a group of Australian businesses.
The attackers disguised their messages as invoices issued by MYOB, a local accounting software firm, according to a July 2018 Trustwave report. Users who clicked on the email links were directed to a file transfer protocol (FTP) server with a modular version of the DanaBot malware.
Once the three component pieces are activated, cybercriminals can send encrypted data, such as screenshots of victims’ machines, back to a command-and-control (C&C) server where it can be distributed covertly using channels like Tor.
Phishing Campaign Targets Businesses
This tactic suggests that the perpetrators designed the phishing campaign specifically to target business professionals. Tracking invoices is critical in almost any kind of company, which means victims are likely to pay greater attention to these messages. Using FTP also makes the malicious emails appear more legitimate than they would if they came from an unknown HTTP address.
Finally, the fact the DanaBot banking Trojan is broken up into multiple, heavily encrypted pieces means that it is flexible and agile enough to evade detection.
How Can Organizations Strengthen Email Security?
Security professionals can help protect their organizations from phishing campaigns by developing a layered approach to email security. IBM experts recommend investing in external solutions that pull data from sensors and other sources to scan all incoming messages.
They also recommend that security teams implement perimeter protection using spam detection tools and antispam solutions that can run on internal mailer servers on corporate networks. Finally, mail clients should be connected to a protection mechanism that detects spam and phishing attempts.