CERT-RO’s 7 Recommendations on Malware Campaign Targeting Bank Customers in Romania

by | July 18, 2021 | Cybersecurity News

Cyberattacks are continuously targeting bank customers in Romania. After CERT-RO had issued an online alert regarding a series of phishing attacks trying to break into users’ internet banking accounts, a new and emerging malware spreading campaign hits bank customers again via malicious emails.

CERT.RO is the Romanian national cyber security and incident response team
CERT-RO is the Romanian national cyber security and incident response team

About Transilvania Bank

Banca Transilvania S.A. is a banking institution with headquarters in Cluj-Napoca, Romania. Currently, BT is in 1st place among banks in Romania in terms of assets with a market share of over 16%. Its activity is organized into four main business lines: corporate banking, IMM, retail banking, and medical division. Banca Transilvania has about 1.76 million customers, 550 locations, and over 7,000 employees.

What the new Malware Campaign entails

To be more specific, the user receives a fake message via email in which they are being informed about a payment made using their bank account. The email also contains an attachment, which the message falsely claims holds information regarding the payment order and further details about the transaction.

Unlike other previous phishing attempts, this message is well written, and the attention to detail is crystal clear.

Obviously, this message is sent out by attackers, crafted in such a way that it seems legitimately delivered by the financial institution. Additionally, hackers impersonate Transilvania Bank by copying its visual identity, using realistic details, such as the font, the logo, and the bank’s address, in order to fool the receiver.

The email also claims to be sent automatically, and it contains legitimate and accurate data about the bank impersonated.

The phishing email contains malware disgused as a payment order

This email seems to be socially engineered to trigger fear in users, tricking them into believing that the said amount of money was stolen from their account. Further on, receivers may hastily access the malicious attachment and install malware involuntarily.

The attachment called ‘Payment Order’ is not even a document but an executable file (.exe), which will install a form of malware called ‘Agent Tesla’ onto the device.

This specific malware has the ability to record what the user types, but also the texts they copy to the clipboard. This information is collected by a command and control server (C2) maneuvered by the attackers. So, virtually, when the user logs into their personal or work accounts, the hackers can easily steal their credentials.

CERT-RO’s Recommendations against the Malware Campaign

CERT-RO (National Cybersecurity Incident Response) recommends a series of precautions against the new threat:

  1. To avoid being tricked into giving away your credentials, CERT-RO recommends being cautios when doing any online activity. Being careful is crucial because you can be targeted via various means, such as email, SMS, social media, phone calls, coming from hackers who pretend to be bank employees or representatives, or other reputable institutions. Think twice before you click!
  2. If you receive an email or an SMS from the bank, check the source thoroughly. Sometimes, the sender is hidden, and the address spoofed, but other times, the attackers use an alias. So, click on the ‘View Source’ button in the browser to detect the sender’s real address.
  3. If you have any doubts regarding a message that you received, check the information with the sender.
  4. Use an antivirus software program to scan potentially malicious links or attachments.
  5. Keep your operating system and software up to date.
  6. Regularly backup your important files and store them on external media, disconnected from the device.
  7. If you fell victim to a cyberattack and money have been stolen from your bank account, contact the bank and the police immediately.

Even though the attack is local to Romania, these 7 suggestions are very useful and can apply to everyone.

Last but not least, these attacks are all the more dangerous for company owners. Your entire business could bear immense costs and operation disruption due to some small human error. Not to mention your company’s image and your business relationships can suffer damages very difficult to repair.

Even though the attack is local to Romania, these seven suggestions are beneficial to everyone who uses a computer.

Provide your employees with the necessary knowledge to spot and deflect a phishing attack with ATTACK Simulator’s clever 4-Step Phishing Simulations. It’s a small investment today that could save you a ton of money tomorrow.

Don’t wait until tomorrow. Now’s the time to get your quote.




by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.