Phishing emails with attached HTML forms instead of embedded URLs

March 13, 2010 3 Comments

MX Lab noticed an increase of phishing emails with an attached HTML form instead of the embedded URLs that directs a user to an online form.

Phishing emails with an embedded URL are subject to certain filters or so called intent analysis techniques. The email can be blocked succesfully when the URL is know as a phishing site.

Phishers will try to avoid these techniques by sending an HTML page as attachment with the email. The provided instructions in the email will make sure that the receiver knows how to handle the phishing attempt. You will get an form to fill in some details once the attached web page is opened in a browser. The data is submitted to an online web site that will handle the request and redirects you further.

Western Union phishing

The phishing email is sent from the spoofed address Western Union customer-support@westernunion.com with the subject “Notice from WesternUnion© : Access to sensitive part of your online account has been suspended(CODE:RX41819S1)”.

The attached file has the name restore.account.html and when opened in a browser you will have a webform that asks for your personal details.

When investigating the HTML code we can see that the CSS, Javascript and images are requested from the official web site of Western Union. The post action of the web form will submit the details to hxxp://elainegohl.biz/restore.php.

PayPal phishing

The message comes from account@ paypall.com – notice the use of a domain with a ‘typo error’ – and this one includes the instructions of opening the attached file to restore access to the account.

The attached file Restore Account.html contains a form that will send the submitted details to hxxp://pisyneluta.com/u.php.

Another PayPal phishing example

Dear PayPal customer,

During our regularly scheduled account maintenance and
verification procedure we have detected a slight error in your
billing information.

This might be due to the following reasons:

1. A recent change in your personal information (ie. change of address, email address)
2. An inability to accurately verify your selected option of payment due to an internal error within our systems.

Please verify your information. To do this we have attached a
form to this email. Please download the form and follow the
instructions on your screen.
NOTE: The form needs to be opened in a modern browser which has
javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3,
Opera 9)

We are requesting this information to verify and protect your
identity. This is in order to prevent the illegal activity of
PayPal accounts.

Please do not reply to this email.

We apologize for any inconvenience this may have
caused. Sincerely, PayPal Security Team.

PayPal Email ID PP836l Email ID PP836

The HTML included with the PayPal phish rendered incorrectly in when opened in a browser. Also, the document was named “Profile Update – PayPal.mth” – notice the .mht type insted of .htm.

Filed under Phishing Tagged with

Explorer SPAM Detector for Public is malware

March 13, 2010 2 Comments

MX Lab intercepted a few messages with the subject “Systematic Security Software : Explorer SPAM Detector for Public” send from the spoofed address Systematic Inc <soft@systematic.com>.

The email offers a software tool called Explorer Spam Detector from Symantec:

Systematic launched a new program SPAM detector Explorer, the program automatically detects if a page is original or not, if you open a mail if the sender is not original is detected. If you are tired of spammers and you are tired as your accounts will be broken, to lose money on paypal or lose auctions, Download this program and all your data, all your accounts will be safe. This program is free, you do not need to buy it, you do not need a license.

Below is an actual screenshot of the email:

The included URLs wil take you to a web site where the malware is hosted: hxxp://systematic.armed.us/download/Setup.exe.

The malware is approx. 1,5 MB when downloaded and is named Setup.exe.

Submission to Virus Total gives us the result that only 1 of the 40 AV engines did detect the malware: Symantec AV engine version 20091.2.0.41. The name Suspicious.Insight is a detection for files from the Symantec’s reputation-based security technology so this is not the name of the malware.

When executed on a computer, the system gets infected and a new window is created:

With the appearance of this window on your system you could have the indication that the software didn’t installed correctly. By now, your computer is infected.

Folowing files are created:

%AppData%\Microsoft\System\Services\[filename of the sample #1] where %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The file %System%\drivers\etc\hosts is modifed and following folders are created:

* %AppData%\Microsoft\System
* %AppData%\Microsoft\System\Services

A Windows registtry is added so that the malware is run each time the computer boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* [filename of the sample #1] = “%AppData%\Microsoft\System\Services\[filename of the sample #1]“

The HOSTS file is updated with the following URL-to-IP mappings:

127.0.0.1 www.virscan.org
127.0.0.1 virscan.org
127.0.0.1 221.207.255.61
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 74.53.201.162
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 91.121.223.25
127.0.0.1 www.xxbots.net
127.0.0.1 xxbots.net
127.0.0.1 208.43.26.70
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 66.36.241.92
127.0.0.1 forums.malwarebytes.org
127.0.0.1 74.63.217.106
127.0.0.1 www.codespace.net
127.0.0.1 codespace.net
127.0.0.1 174.133.4.108

As you can see, with this action you will not longer have access to the web sites that are listed here. Due to the HOSTS file change, all request to visit these sites will point you back to your local computer on 127.0.0.1. This is in order to avoid that the user can visit these sites for information or for downloading anti virus/malware software. If you are infected with this malware, make sure that you modify the HOSTS file.

The possible country of origin for this malware is Russia.

Virus Total permlink and MD5: 97ff431ca077c59d76d147832260b7ef.

Filed under Spam, Viruses Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers