Merril Lynch phish making the rounds

A new Merrill Lynch phish is hitting the rounds, with a dangerous payload.
The phish typically looks something like this:

Merrill12388123888

Subject lines include “New ML Business Centre Login Page”, “Merrill Lynch Business Centre with new Login Page?” and “Merrill Lynch Business Centre Website changing marketing process.”

The phish points to a website which pushes a new “certificate” that is needed.

Merrill12388123888a

The “Certificate” is a variant of Papras, a data-stealing trojan. However, don’t expect it’s only Merrill Lynch. We believe that this trojan is being used in a similar Colonial Bank scam, and there are likely others.