Fake AVs are aimed at HSBC users through phishing emails, finds Symantec

Fake and malicious e-mails storm the HSBC user mail accounts, urging the users to install a tainted version of Rapport, one of the trusted security programs which protect online bank accounts from fraud.

The spam campaign targeted at the HSBC users was detected by Symantec. The researchers from Symantec state that financial institutions are mainly targeted and are tricked into installing the Anti-Virus software, which is information stealing software named W32.Difobot.

The phishing emails that are claimed to be from HSBC, one of the biggest banking and financial services company in the world, bear the @hsbc.com in its mail id.

The fake Rapport software, when installed, steals the information from the compromised computer. The malware deploys the Windows GodMode to conceal itself from the infected computers. GodMode is also called as Windows Master Control Panel Shortcut and is a shortcut used for accessing several access control settings in certain versions of Windows.

In order to masquerade as an authentic and convincing security email, security advisory information and eco-friendly messages are featured in the email.

What does the malware do?

If the malware is triggered, it creates a folder for itself and then uses Windows GodMode to hide itself.

Also, the Trojan modifies registry entries in order to disable notifications and system tools in an attempt to shield itself.

As soon as the threat is rooted in the compromised computer, it interacts with command-and-control server. This way, the threat lets the attacker to perform actions remotely and steal information, such as financial data, from the infected computer.

However, it is feared that the spam may be a part of a larger campaign as other instances of similar HSBC themed emails have observed on other occasions.