Scammers Exploiting Bogus DigiNotar SSL Certificates

Tuesday, September 20, 2011



Spammers and malware distributors have started to take advantage of Dutch certificate authority DigiNotar's recent security breach.

Attackers recently managed to hack into the web security firm and steal hundreds of bogus security certificates that could be used to exploit websites including Google, Microsoft, and Twitter.

Security provider Barracuda Networks has warned of a spamming campaign targeting Royal Bank of Canada customers.

The spam messages falsely notify users that their SSL certificate has expired, and that in order to continue using online banking services they are required to update the certificate.

The message also contains the bank's logo, a link pointing to a suspicious domain, and the email's header has been spoofed to appear as if the message is actually from RBC.

The spam emails appear as such (click image to enlarge):


Notice there are two links, and the second is leading to web server that hosts an exploit kit that performs several attacks on victim's operating system. including:

  • Attack on Java runtime
  • Attack on Adobe PDF reader
  • Attack on Windows Media player

These attacks exploit vulnerable software versions, and result in the downloading and execution of the "Trojan.Buzus".

The malware strain opens a backdoor on the infected machine to steal various information such as personal financial data including credit card numbers, online banking details etc., passwords from various email and FTP applications like Trillian, Microsoft Outlook, and CuteFTP.

It also tries to compromise security settings of various security related products.


Possibly Related Articles:
Email SPAM SSL malware Digital Certificates Attacks Headlines Barracuda Networks DigiNotar
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.