Trickbot used to redirect users to fake bank website

Trickbot used to redirect users to fake bank website

A new banking trojan campaign is using Trickbot to redirect users to a fake website, claiming to be Lloyds Bank that displays the correct URL and has a valid SSL certificate.

The login page appears genuine but is used to steal user’s credentials and money, ZDNet reports.

According to researchers at Cyren, the attackers have sent over 75,000 phishing emails, each containing a malicious attachment named ‘IncomingBACs.xlsm’, in just under a half hour.

Once victims open the attachment and enable macros, the Trickbot payload installs and waits for the user to visit their banking website and then is redirected to the counterfeit login page. 

Readers should be aware that the phishing emails are sent from a different domain, instead of the legitimate domain lloydsbank.co.uk.

It goes without saying, users should not open up attachments sent from financial institutions as well as from untrusted sources. 

The campaign also comes after recent Symantec report that shows how Trickbot was used to spread to systems on the same network as the infected host and spread fake financial company invoices via spam.