WorldPay emails contain attached mailware

April 24, 2009 Leave a Comment

Take extra attention when receiving messages with the subject ”WorldPay CARD transaction Confirmation” claiming that your invoice is attached to the email as a ZIP file.

MX Lab intercepted emails with malware attached. The From address doesn’t belong to WorldPay at all and is spoofed randomly. This is the contents of the body:

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.

Sincerely, 
Amazon Team

This confirmation only indicates that your transaction has been processed successfully. 
It does not indicate that your order has been accepted. 
It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

The malware is known as Trojan-Spy:W32/Zbot.OSK (F-Secure), Trojan-Spy.Win32.Zbot.sot (Kaspersky), PWS:Win32/Zbot.M (Microsoft) or Mal/EncPk-HZ (Sophos).

The threat has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

VirusTotal permlink and MD5: d4131d5a287bce49ddb3a4f9db7e7dc1.

Filed under Viruses Tagged with , , ,

WordPress comments lead to fake profiles on LinkedIn

April 15, 2009 2 Comments

Although it has nothing to do with real spam, it caught my attention when managing the MX Lab blog. When reading some comments I noticed that the provided URL was leading to a LinkedIn profile. Some examples below.

New comment on your post #125 “Email pollution and spam to think about”
Author : Heartburn Home Remedy (IP: 92.112.90.181 , 181-90-112-92.pool.ukrtel.net)
E-mail : vin45ce45622@gmail.com
URL    : http://www.linkedin.com/in/heartburnhomeremedy
Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=92.112.90.181
Comment: 

I read your blog for quite a long time and must tell   that your posts are always valuable to readers.

And this one

New comment on your post #230 “Nice Citibank phishing attempt example”
Author : How to Get Six Pack Fast (IP: 92.112.81.15 , 15-81-112-92.pool.ukrtel.net)
E-mail : vincedel422@gmail.com
URL    : http://www.linkedin.com/in/howtogetasixpackfast
Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=92.112.81.15
Comment: 

After reading   this article, I just feel that I   need more info. Can you suggest some   resources  ?

When visiting the URL it leads us to the fake LinkedIn profile.

Notice the three web site links in the profile. They lead to http://bit.ly which is a URL shortener & tracking service.

Following sites appear when visiting some links, obviously very commercial.

Be carefull when using or visiting sites that are being promoted through a URL shortening and tracking service. Because of the fact that the URL is so short and no details are visible about the real URL, it is possible that you could end up visiting sites that host malware or are phishing sites. It’s a very common technique to lure the surfer.

Filed under Various Tagged with , , , , ,

AIG survey leads to a phish

April 3, 2009 Leave a Comment

Covering phishing attempts as a survey seems to be a popular technique and also banks are a target. The fake online AIG survey at hxxp://200.85.152.190/aig/survey is just another example.

It is a very short survey and you can fill in your personal contact details. This will be an additional potential source of information if filled in correctly.

When the survey is complete you will get a screen with the possibility to fill in your credit card details. When you do, you will get a $100 credit to your account. It will be more likely that $100 or more will be deducted from your credit card account.

Never complete a survey where you need to fill in credit card details. Also, this site is hosted on an IP address and not on a domain. Always suspicious.

Filed under Phishing Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 108 other followers