Santander and NatWest Banks are investigating a potential security breach of customers' email accounts, following the discovery of a new Trojan attack that has alarmed some recipients.
The malware, which was revealed by Belgian security firm MX Lab on Monday 4th November, uses a fake email from NatWest about a ‘Direct debiting seminar' to distribute Trojan software.
But when MX Lab CEO Peter Louies blogged to reveal the attack, comments back suggested the Trojan had been sent to private email addresses that should only be known to, and used by, Santander Bank and by the Government Gateway and NatWest FastPay service.
One commentator, ‘Fs Ck', said: “Interestingly I have had two emails to two addresses EXCLUSIVELY used with Santander in UK. I run all my banking in a non-persistent Linux live-distro and therefore this MUST have been from a bank security breach. I have around 500 different email addresses and not a single one of the others have had a similar email in five years. In fact no spam filtering and this is the first phishing email in five years. Santander – you have been hacked…”
Another commentator, ‘Steven K', replying to the possibility that Easyspace hosting might also be a factor, emphasised: “I also had this email on an account ONLY used by Santander UK; I've never had anything to do with Easyspace. What are the chances of Santander owning up and emailing everybody in their mailing list and warning them their email addresses have been exposed? I would rate it at slim to none...”
A third commentator, ‘Chas', said they had received the spear phish to a number of email addresses - “but one of them has only been used with Government Gateway and NatWest FastPay”.
Santander's UK information security team was looking into the reports as SC Magazine UK went to press. Meanwhile, a NatWest/RBS Bank spokesperson commented: “We take security very seriously and will investigate further. However, at this time, we have no indication that the bank has suffered a breach.”
Peter Louies at MX Lab said the ‘NatWest' email purports to come from Graham Nevin, a senior relationship manager based in Sheffield. The wording is plausible and a LinkedIn profile exists for Nevin.
The malware is among a spate of recent banking and finance-based attacks. Louies said MX had discovered other Trojan campaigns this week based on spoof emails from the UK's Inland Revenue and Companies House.
Elsewhere, security blogger Bart Blaze of Panda Security last week reported a new variant of the Caphaw banking malware being distributed via Skype. Caphaw, also known as Shylock, targets the customers of at least 24 major banks including Bank of Scotland, Barclays and the Co-Operative Bank.
Meanwhile, a survey published last week by Kaspersky Lab and Barclays found that 47 per cent of people have received bogus emails allegedly coming from a bank – and about 4 per cent of respondents admitted they had lost money to cyber criminals.
Peter Louies explained to SCMagazineUK.com that Trojan attacks come in waves. “You will have several weeks where we don't have many and other weeks where there are multiple variants. Recently spear phishing attempts have diminished and now we have more Trojans.”
Louies said he had not verified the comments to his blog which alleged that the malware was using email addresses created exclusively for banking accounts.