Cisco Security has detected significant activity related to spam e-mail messages that claim to contain a new digital certificate notification for the recipient. The text in the e-mail message attempts to persuade the recipient to open the attachment to renew the digital certificate. However, the .zip
attachment contains a malicious .exe
file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID5302) may contain the following files:
file in the new_2013_digital_cert_install.zip
attachment has a file size of 139,264 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x7CB4ACF5E888DFA800CD4357D7BCC61B
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Important Security Update from KeyBank
Protect yourself against online fraud
KeyBank. Unlock your Possibilities. Protect Yourself Against Online Fraud
To our valued clients,
This email is being sent to inform you that you have been granted a NEW Digital Certificate for use with Key Total Treasury (KTT) Online.
The digital certificate is an additional security enhancement that is required when performing Wire Transfers, ACH, Self Service or Foreign Draft transactions. The certificate is applied for annually, and is stored on your PC. The digital certificate is linked to your login ID and PC to allow Key to authenticate the user.
Steps to Install NEW Digital Certificate
1. Please open the attachment.
2. An enrollment form will appear for you to register. Your name, email address, and user ID will be pre-filled in the appropriate boxes. On the enrollment form you will need to enter a Challenge Phrase (which serves as an additional password). Then click on "submit".
3. After you click "submit", a window will appear asking you to confirm your email address. If your email address is correct, click OK and proceed to step 4. If the email address is incorrect, click cancel, which will return you to the enrollment screen. At this point, you will need to contact Commercial Client Services Internet Support at 800-539-9039 to have your email address corrected.
4. Once you click OK to verify your email address, a window will appear with the title "Generate A Private Key". If you would like information on the Private Key, click the button labeled "more info", otherwise click OK.
Note: Internet Explorer users will have the option to set their security level. This should be pre-set to medium. If it is not, please change the security level to medium then Click OK.
5. This step is only for Firefox users. Another window will appear titled "Setting up Your Communicator Password". This is an additional security feature to protect your digital certificate from unauthorized use. At this point, you will enter in a password, and re-enter it to confirm. Then click OK.
6. The next screen that will appear will be a screen that says "Please wait while the Digital ID is being issued" This means that we are in the process of issuing the certificate.
7. The final screen you will see is a confirmation that the certificate was issued to you. Click on the "Home" tab located near the top to return to the Internet application.
8. You will need to close your browser and re-open it before using the digital certificate to access the Wire Transfers, ACH, Self Service or Foreign Draft Modules.
If you have any questions or concerns about new digital certificate, please contact your Client Administrator.
personal banking|business banking|private banking|customer service
2013 KeyCorp. All Rights Reserved.
KeyBank | 127 Public Square | Cleveland, OH, 44114 | 1-800-KEY2YOU
Cisco Security analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
Cisco Threat Operations Center
Cisco SenderBase Security Network