Attention! Dear Depositor–the FDIC (Federal Deposit Insurance Corporation) is not sending you an e-mail with a mysterious ZIP file attachment. If you receive such a message claiming to be from the FDIC, don’t be fooled. The e-mail is a phishing attack, and the attachment is actually malware.
Fred Touchette has some more details about this phishing scam in an AppRiver blog post. Touchette explains, “We often see, as everyone is aware of, malware campaigns that pretend to come from major banking institutions, but I can’t recall having seen any that come from their insurers before.”
That is true. Phishing scams targeting specific banks or credit unions are fairly common. This threat–by virtue of claiming to be from the FDIC that insures the deposits of virtually all financial institutions–has a much larger pool of potential victims. Basically, rather than only targeting Bank of America, or Wells Fargo, or some other bank, this phishing scam targets anyone with a bank account.
Unfortunately–at least for the attackers–the message is a bunch of grammatically error prone gibberish. “In order to inform you about the news concerning current business activity of the Company on a timely basis, please, look through the last important changes in current regulations of endowment insurance procedure” doesn’t even make sense, so hopefully it is unlikely to lure too many naïve victims to actually open the file attachment as directed.
Touchette describes the actual threat behind the FDIC phishing attack. “In actuality the attachment is a Trojan downloader, one we’ve become very accustomed to–Oficla. Oficla is responsible for doing the hard work, which is tricking you into installing it and opening up the backdoor and letting in all of its ne’er-do-well buddies. In the past these have included everything from scareware viruses to data loggers such as ZeuS and everything in between.”
The attackers get some bonus points for thinking outside of the box and attempting to spoof the FDIC rather than a specific financial institution, but they fail miserably in the execution department.
Let’s sum up with the obligatory warnings. Neither your bank, nor the FDIC will send you an e-mail–poorly worded or otherwise–directing you to open up some cryptic file attachment. Just don’t do it. If you ever have reason to feel that such a message could potentially be legitimate, delete the e-mail anyway and contact your financial institution directly.
Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read ouraffiliate link policyfor more details.