Threat Database Trojans TSPY_BANKER.EUIQ

TSPY_BANKER.EUIQ

By Domesticus in Trojans

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 31
First Seen: May 18, 2012
Last Seen: April 24, 2023
OS(es) Affected: Windows

The TSPY_BANKER.EUIQ Trojan is a malware infection that is designed to steal banking information. However, rather than using keylogger attacks in order to obtain this information, TSPY_BANKER.EUIQ uses a sneaky approach, it uses browser hijacking. Basically, TSPY_BANKER.EUIQ redirects computer users to phishing websites set up to look identical to popular banks' websites. TSPY_BANKER.EUIQ can be configured to carry out these redirects whenever the victim attempts to connect to a legitimate banking website. Once there, entering their login details, such as account number and password, actually hands over this information to the criminals operating these copycat websites and TSPY_BANKER.EUIQ itself. TSPY_BANKER.EUIQ will work together with another malware infection, TROJ_KILSRV.EUIQ. This second Trojan is designed to delete GBPlugin. While this add-on was originally intended to protect Brazilian banking users from similar attacks, there is no question that the criminals behind TSPY_BANKER.EUIQ have found a way to circumvent its protection.

Currently, TSPY_BANKER.EUIQ is distributed through a social engineering attack, disguising this file as a supposed setup file for the popular web browser, Google Chrome. While, in theory, TSPY_BANKER.EUIQ could be used to attack computer users all over the world, it is targeted towards Brazilian computer users and South American banks. Currently, the banks targeted by TSPY_BANKER.EUIQ include those with these strings or addresses: 'Caixa Econ – mica Federal,' www.sicredi.com.br, 'Banco Santander Brasil | Pessoa Jur dica | Atendimento empresarial, empresas' and 'Banco Ita – Feito Para Voc.'

Detecting TSPY_BANKER.EUIQ's Bank Phishing Websites

Carefully observing the supposed banking websites reveals details that betray their true nature. For example, the websites' titles will have small discrepancies in order to create a duplicate of the legitimate bank's website. For example, the bank's name may include an underscore ('_') or very slight changes in spelling. The web address will also be different, using a URL that has minor differences with the targeted banks'. Because of this, ESG security researchers strongly advise checking any website's name and address before entering highly-sensible data, such as banking information or credit card numbers. If you find that the URL is not matched or that there are unusual discrepancies in the website's appearance, this may indicate a potential phishing attack and, if you suspect this is the case, you should never enter your information.

Trending

Most Viewed

Loading...