Banamex (Citigroup in Mexico) is one of the largest banks in Mexico, so it is natural for phishers to target the users of this bank. But it isn't just related to the number of users but to the fact that Banamex uses NETKEY token to give online access. So, you may wonder why criminals are targeting Banamex if two-factor authentication is used?
The reason is, NETKEY is a "sequence-based token", this means a new pseudo-random number will be given to the user each time he/she pushes a key on the token, but won't expire after some time (like time-based tokens do).
Criminals will fool the user into thinking that he/she has reached the bank website, then the phisher will steal the login, the password and the OTP and show the user a message like "we're under maintenance, please come back in a few hours"; finally the phisher will get access to the online bank and steal the money (as long as the user doesn't log in to the genuine website before the e-robbery takes place).
The problem here is the OTP doesn't expire (I've tried with my NETKEY and I could log in two hours after reading the OTP at NETKEY's display), so the phisher has more time to steal the money. Other banks use time-based tokens so the phisher would need to log in with the stolen credentials within sixty seconds or less. Banamex should adopt the time-based solution, in the meantime its users are in risk.
Now, for the attack-vector part, the message says "a finnish kid was condemned because of a youtube video", and at the end of the text it prompts the user to download the supposed video.
The file is a .rar that contains an executable file that modifies the hosts file and it also opens a browser window with a video from youtube (in fact the video is in spanish).
The md5 of this file is: b845cbb13117a9776852bc86a802b51a
