Researchers have discovered a new spam campaign infecting thousands of computers in order to steal banking credentials through the Dyre banking trojan.
The campaign was picked up by analysts at security firm Bitdefender, who indicated that the spam contains phony fax HTLM files that link to URLs that lead users to obfuscated Javascript code that automatically downloads “a zip archive from a remote location,” according to a recent release.
Each downloaded archive is named differently, allowing it to thwart anti-virus protection. The contents of the zip archive – posing as PDF files – are actually executables that download the Dyre trojan.
The malware is known to install itself on a victim's computer and wait for them to visit a particular login page of a financial institution to steal credentials. Targeted banks include Bank of America, Citibank and Wells Fargo.