Trickbot is back, new and improved, and is targeting customers of Lloyds Bank in the UK in a new phishing campaign, according to cybersecurity specialist Cyren.

The malware deployed uses new techniques to make it even more difficult for the casual user to notice anything unusual when their browser session is hijacked, and their credentials and security codes are being stolen, Cyren says.

Stealing banking credentials using phishing attacks is nothing new, but Trickbot takes stealing banking credentials using phishing attacks “to another level”, according to Cyren, “by showing the user the correct URL of the online bank and a legitimate SSL certificate, so the user sees nothing unusual”.

Until now, phishing malware pages have never had the correct URL, it emphasises.

A large number of spam e-mails were sent to UK online banking users this week claiming to be from Lloyds Bank. The e-mails that were sent are well-produced HTML emails, with the “from” field showing as “Lloyds Bank”.

Image source: Cyren

Closer inspection of the sender address, however, reveals that the e-mail is from “” not “” – a very similar domain which was just created. Most (but not all) of the emails are being sent from a Dutch IP (, which is a previously known source of spam and hosts many malicious domains, Cyren says.

Image source: Cyren

To demonstrate the scale of the attack, the cybersecurity company says it witnessed – and blocked – 75,000 of such emails for its customers in just one short 25-minute time window.

Banking Technology Awards 2017 are now open for entry!

Know any innovative products, inspirational projects, skilled teams or visionary leaders that deserve a special recognition this year? Nominate them for a Banking Technology Award!

Deadline for submitting the nominations is 25 August 2017.

Banking Technology Awards 2017 banner