Alphabetically-arranged examples of email subjects, including typos and spelling mistakes made by the attackers include:

Information on: transaction/transfer #[18 digits]

[German: Information zu: Überweisung/Umbuchung #[18 Ziffern]]

[German: Information zu: Überweisung/Umbuchung #[18 Ziffern]] More information on Volksbank transaction: [12 digits]

[German: Weitere Informationen zum Transaktions Volksbank: [12 Ziffern]]

[German: Weitere Informationen zum Transaktions Volksbank: [12 Ziffern]] NTTCable telephone invoice

[German: Telefonrechnung NTTCable]

[German: Telefonrechnung NTTCable] NTTCable telephone invoice for January

[German: Telefonrechnung NTTCable Januar]

[German: Telefonrechnung NTTCable Januar] NTTCable telephone invoice for January 2014

[German: Telefonrechnung NTTCable Januar 2014]

[German: Telefonrechnung NTTCable Januar 2014] System update

[German: System-Aktualisierung]

[German: System-Aktualisierung] Update your software

[German: Aktualisierung Ihrer Software]

[German: Aktualisierung Ihrer Software] Your account may not be compromised

[German: Die Zuverlassigkeit Ihres Kontos ist nicht im Gefahr]

[German: Die Zuverlassigkeit Ihres Kontos ist nicht im Gefahr] Your online banking access details will soon expire

[German: Ihr Online-Banking-Zugang bald ablauft]

[German: Ihr Online-Banking-Zugang bald ablauft] Your invoice dated 14 January 2014 is ready as a PDF: [18 digits].

[German: Ihre Rechnung vom 14.01.2014 steht als PDF bereit: [18 Ziffern].]

[German: Ihre Rechnung vom 14.01.2014 steht als PDF bereit: [18 Ziffern].] Your invoice dated 15 January 2014 is ready as a PDF: no. [18 digits].

[Ihre Rechnung vom 15.01.2014 steht als PDF bereit: Nr[18 Ziffern].]

[Ihre Rechnung vom 15.01.2014 steht als PDF bereit: Nr[18 Ziffern].] Your Telekom online mobile phone invoice for business customer [18 digits] on [date] for customer account [12 digits].

[German: Ihre Telekom Mobilfunk RechnungOnline für Geschäftskunden [18 Ziffern] vom [Datum] des Kundenkontos [12 Ziffern].]



If the user clicks on the link, a .zip file is first automatically loaded onto his computer. The attackers have deposited malware from the Cridex family in this archive as an executable file. As soon as the user opens the .exe file, the banking Trojan infects the PC.

Malware in this family is known for functions such as:

Man-in-the-browser functionality, in which all data traffic relating to online banking websites is manipulated. Attackers use this to fraudulently make money from transactions.

Embedding itself in the system (registry entries and copies of the malware file).

Recording keyboard entries (keyloggers), mainly on online banking websites.

Sending information it has acquired over the Internet to servers.

Downloading additional malware files and installing them on the infected computer.



According to the latest information, the malicious files are stored on servers in Romania, Russia, Britain and the USA. The attackers keep storing new variants of the malware, to prevent extensive detection by AV products as far as possible.

However, the various G Data protection technologies hold the malware in check – foremost among these is of course the G Data BankGuard technology, which can be found in the current end user products, for example. BankGuard detections of Cridex have reached a new high in recent weeks. The Trojan was first detected in 2011, but has only been exhibiting significant levels of activity since April 2013 (see G Data Malware Report H1 2013). However, in the recent past it has been causing more of a furore even than the established banking Trojan ZeuS and all its clones, such as Citadel and Gameover: