“Wire bank transfer” malware phishing scam hits SWIFT banking system

Hackers are becoming persistent in phishing scams against banking and cryptocurrency exchanges since they are lucrative targets. In the last couple of years, hackers have tricked several unsuspecting users and stole millions with tricky and sophisticated phishing scams.

Now, the IT security researchers at Comodo Labs have discovered a new phishing scam targeting SWIFT financial messaging service. But this time, the scam does not only aim at stealing banking credentials but also infects victims computers with Adwind RAT (Remote access tool).

Adwind RAT was first discovered in 2015 targeting Android, macOS, Linux and Windows devices. In the latest phishing scam, the malware targets Windows-based devices. According to Comodo Threat Research Lab analysts, an email is being circulated around the Internet which alerts users that a wire bank transfer has initiated to their account and in order to check details they need to click an attachment file.

A screenshot shared by Comodo Labs in their blog post shows the content of the phishing email:

"Wire bank transfer" malware phishing scam hits SWIFT banking system

In reality, the attachment contains Adwind malware capable of exfiltrating data from the compromised device and dropping backdoor which allows hackers to infect the device with additional malware. Moreover, the malware modifies the system registry, tries to kill anti-virus and anti-adware programs on the device to avoid detection.

It then installs malicious executable files on the device and connects itself with a dark web domain on the Tor network. Additionally, Comodo researchers noted that Adwind malware also disables Windows restore option and turns off the User Account Control.

The purpose of this phishing scam is to spy on users and steal money since SWIFT (Society for Worldwide Interbank Financial Telecommunication) lets users send and receive information about financial transactions in a secure environment and target of it can be an unsuspecting user, a banking or financial institution and their employees. 

“As we see, cybercriminals more and more often use finance-related topics as a bait to make users download malware and infect an enterprise’s network,” said Fatih Orhan, head of Comodo Threat Research Lab. “They combine technical and human patterns as an explosive combination for breaking down the door to let the malware in. But it only works if the company has been careless about the right defense of that door”.

There are currently millions of users in 200 countries using SWIFT financial messaging services including 11,000 banks, security organizations, business institutions and corporate customers. Therefore, if you are one of them avoid opening emails sent from an unknown party, do not click on links or download/open attachment from such emails. However, in an event, you have downloaded a file make sure to scan it on VirusTotal, an online scanner for malicious files powered by top cybersecurity giants.

Here are some quick tips for users to understand how phishing scam works and how you can avoid being scammed.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.