Threat Outbreak Alert: Fake KeyBank Security Update Notification E-mail Messages on February 14, 2013
IntelliShield: Threat Outbreak Alert
2013 February 14 19:55 GMT
2013 February 14 19:55 GMT
Cisco Security has detected significant activity on February 14, 2013.
Cisco Security has detected significant activity related to spam e-mail messages that claim to contain a new digital certificate notification for the recipient. The text in the e-mail message attempts to persuade the recipient to open the attachment to renew the digital certificate. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID5302) may contain the following files:
The new_2013_digital_cert_install.exe file in the new_2013_digital_cert_install.zip attachment has a file size of 139,264 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x7CB4ACF5E888DFA800CD4357D7BCC61B
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Important Security Update from KeyBank
Protect yourself against online fraud
KeyBank. Unlock your Possibilities. Protect Yourself Against Online Fraud
To our valued clients,
This email is being sent to inform you that you have been granted a NEW Digital Certificate for use with Key Total Treasury (KTT) Online.
The digital certificate is an additional security enhancement that is required when performing Wire Transfers, ACH, Self Service or Foreign Draft transactions. The certificate is applied for annually, and is stored on your PC. The digital certificate is linked to your login ID and PC to allow Key to authenticate the user.
Steps to Install NEW Digital Certificate
1. Please open the attachment.
2. An enrollment form will appear for you to register. Your name, email address, and user ID will be pre-filled in the appropriate boxes. On the enrollment form you will need to enter a Challenge Phrase (which serves as an additional password). Then click on "submit".
3. After you click "submit", a window will appear asking you to confirm your email address. If your email address is correct, click OK and proceed to step 4. If the email address is incorrect, click cancel, which will return you to the enrollment screen. At this point, you will need to contact Commercial Client Services Internet Support at 800-539-9039 to have your email address corrected.
4. Once you click OK to verify your email address, a window will appear with the title "Generate A Private Key". If you would like information on the Private Key, click the button labeled "more info", otherwise click OK.
Note: Internet Explorer users will have the option to set their security level. This should be pre-set to medium. If it is not, please change the security level to medium then Click OK.
5. This step is only for Firefox users. Another window will appear titled "Setting up Your Communicator Password". This is an additional security feature to protect your digital certificate from unauthorized use. At this point, you will enter in a password, and re-enter it to confirm. Then click OK.
6. The next screen that will appear will be a screen that says "Please wait while the Digital ID is being issued" This means that we are in the process of issuing the certificate.
7. The final screen you will see is a confirmation that the certificate was issued to you. Click on the "Home" tab located near the top to return to the Internet application.
8. You will need to close your browser and re-open it before using the digital certificate to access the Wire Transfers, ACH, Self Service or Foreign Draft Modules.
If you have any questions or concerns about new digital certificate, please contact your Client Administrator.
personal banking|business banking|private banking|customer service
2013 KeyCorp. All Rights Reserved.
KeyBank | 127 Public Square | Cleveland, OH, 44114 | 1-800-KEY2YOU
Cisco Security analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
The security vulnerability applies to the following combinations of products.
Threat Outbreak Alert
Original Release Base
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.