A new phishing scam is targeting Bank of America customers who use the bank’s “Bank of America Direct Digital Certificate program”. The program offers full service internet based banking to businesses. To access it customers need to install a BOA issued digital certificate into their web browser. The attack focuses on the site that allows them to use their company ID, username and password to re-download their certificate if needed.

The emails being sent tell customers that their certificates have expired and must be re-downloaded, or that an updated version is available. A masked URL directs them to a fake version of the certificate pick up site. If the customer fills out the form they not only have their login info stolen, but they are then asked to download the “certificate” which is really the Waledac Trojan. The malware scans their systems for personal and financial information. Waldec also adds the infected computer to its botnet and uses it to send out even more malicious spam.

Bank of America is aware of the scam and recommends that customers call them to verify any emails they receive, and to remember they will never be asked for their user name and password via email.