Directory scam: registration for the World Trade Register’s 2012/2013

February 14, 2012 Leave a Comment

MX Lab, http://www.mxlab.eu, reported earlier in the past of directory scams to register your company “for free”. But when sending back the document, you really agree to get involved into a commitment for several years while paying each year a significant amount for the registration.

MX Lab is intercepting these messages on a regular base and from time to time we see that the sending email address is changed, the company name get changed,… but in fact the scam is the same: lure people into signing an agreement and get their money. This time it is no different with the “World Trade Register’s 2012/2013 edition”.

The email is send from the address”World Trade Register <register@2business-list.com>”, while the domain 2business-list.com is registered on 03-feb-2012,  and has the following body:

Dear Madam/Sir,

In order to have your company inserted in the World Trade Register’s 2012/2013 edition, please print, complete and return the enclosed form to the following address:

World Trade Register
P.O. Box 3079
3502 GB Utrecht
The Netherlands

email: register@2business-list.com
Fax: +31 205 248 107
Business Registration 2012/2013

Updating is free of charge!

To unsubscribe, please send an email to remove@2business-list.com

Attached to the email is the PDF document wtr2012.pdf.

The first item you will need to be carefull with is at the top of the document on the left:

To update your company profile, please print, complete and return this form. Updating is free of charge. Only sign if you want to place an insertion.

Notice the part “Updating is free of charge” and “Only sign if you want to place an insertion.” It is quite obvious and self explaining for everyone, isn’t it? But keep reading further dow, where the small letters are.

The second item you need to read is the following part of the text regarding the order:

THE VALIDATION TIME OF THE CONTRACT IS THREE YEARS AND STARTS ON THE EIGHTH DAY AFTER
SIGNING THE CONTRACT. THE INSERTION IS GRANTED AFTER SIGNING AND RECEIVING THIS DOCUMENT BY THE SERVICE PROVIDER. I HEREBY ORDER A SUBSCRIPTION WITH SERVICE PROVIDER EU BUSINESS SERVICES LTD “WORLD TRADE REGISTER” I WILL HAVE AN INSERTION INTO ITS DATABASE FOR THREE YEARS. THE PRICE PER YEAR IS EURO 995.

What does this mean? According to the document, when it is returned back with your signature, your entry in the World Trade Register is subject to a contract with EU Business Services Ltd for the next 3 years with a price tag of 995 Euro per year.

Now I suppose that anyone would sign this because of the “clear instructions” and the lay out of the document. This is a malicious technique in order to get companies signed to a contract of 995 Euros per year and again, we expect that some people will be fooled by this way of working.

Our recommendation is: don’t sign the document and don’t do business with this company.

Filed under Spam, Various Tagged with , , ,

Emails regarding rejected ACH payment contains security risk

January 31, 2012 Leave a Comment

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Rejected ACH transaction
Rejected ACH payment
Your ACH transfer

The email is send from the spoofed addresses like:

“\”The Electronic Payments Association\” risk.manager”@nacha.org
“\”The Electronic Payments Association\” alerts”@nacha.org
“\”The Electronic Payments Association\” risk”@nacha.org
“\”The Electronic Payments Association\” transfers”@nacha.org
“\”The Electronic Payments Association\” ach”@nacha.org
“\”The Electronic Payments Association\” payment”@nacha.org

The email has the following body:

The ACH transaction (ID: 02710822288793), recently sent from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

Canceled transaction
Transaction ID: 02710822288793
Reason for rejection See details in the report below
Transaction Report report_02710822288793.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

A sample of the email:

The URLs for the transaction report are different and in some cases no longer valid. Some examples:

hxxp://minalimo.com/f9oYYmiY/index.html
hxxp://maerlipinte.ch/LaV4inWa/index.html
hxxp://hotel-sicily.it/aRpcdCjd/index.html

One of the URLs did give us a result: hxxp://ftp.samisalami.com/8KQZuSAy/index.html.

When investigating the HTML code of this web page we got the following:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firstnamestore.com/utn08WYD/js.js”></script>
<script type=”text/javascript” src=”hxxp://ftp.adamsmarketing.com/VRssE3iH/js.js”></script>
<script type=”text/javascript” src=”hxxp://mediapoolstarnberg.de/WrqeCaoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://paolomisirochi.com/nqrmZKRC/js.js”></script>
<script type=”text/javascript” src=”hxxp://lonnytyler.com/MZF0uXsc/js.js”></script>
<script type=”text/javascript” src=”hxxp://orquestrachapo.com/jAmCDzeM/js.js”></script>

</html>

As you can see, some Javascripts are loaded when opening this web page. Some URLs to the javascripts are also obsolete but some of them returns the code: “document.location=’hxxp://sulusate.com/forum/index.php?showtopic=997439′;”.

The above URL gives us the web page with the following code:

<body>
<applet code=’Verifa.class’ archive=’rhi.jar’ width=’24′ height=’22′>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAvlmrs”>
</applet>
</body><body>
<applet code=’Ooo.class’ archive=’Ooo.jar’ width=’24′ height=’22′>
<param name=”dest” value=”lxxt>33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAsfi”>
</applet>
</body>

When opening the URLs  in a web browser – something we do not recommend to even try – you will get redirected to bing.com or another web site so you won’t see this code.

It seems that some javascript is obfuscated and that .jar files are involved here inside an applet. The risk is that these applets in java could contain malicious code. Ooo.jar is however related to OpenOffice but in this case it can also be used for phishing.

This email is a security risk – a virus or a phishing attempt – for sure so do not follow any URLs or open files.

Filed under Email security, Phishing Tagged with , , , ,

Email “FedEx, Shipment Notification” with trojan in zip attachement

January 30, 2012 Leave a Comment

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “FedEx, Shipment Notification”.

The email is send from the spoofed address “FedEx <no-reply@fedex.com>” and has the following body:

The attached ZIP file has the name FedEx-Shipment-Notification_GX3553U8-Jan2012.zip and contains the 200 kB large file FedEx-Shipment-Notification.exe.

The trojan is known as W32/Trojan3.DEC (F-Prot), Trojan-Spy:W32/Zbot.AVRN (F-Secure), Trojan-Dropper.Win32.Injector.clrk (Kaspersky), Trojan.Zbot (Sophos).

At the time of writing, only 11 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 28aba7221fe47882164fa45d9d63c58110b96b94d9b2291b692afaa7406c2e46.

Filed under Malware, Viruses Tagged with , , , ,

Dutch emails with Report.zip attached contains trojan

January 20, 2012 1 Comment

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the following possible subjects:

Fwd: Vertel de fiscus
Fwd: Niet in het derde kwartaal van dit jaar!
Informeer de belastingsdienst!
Order
Order #98314389
Re: adviser id: 586452.
Re: profile consultation id: 90616
The answer id: 79858
Your request id: 52018110.

The email is send from different spoofed addresses and has the following body:

Hallo
U moet de rekening betalen voor het einde van de week.
Details in de bijgevoegde documenten…

The attached ZIP file has the name Report.zip and contains the 41 kB large file Report.Docx____**____.exe (the filename contains many underscores to hide the .exe file type extension at the end).

The trojan is known as W32/Yakes.B!tr (Fortinet), UDS:DangerousObject.Multi.Generic (Kaspersky), Posible_Worm32 (TheHacker).

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 5037236777f3d320482de732688243faa192ade3bcbbda57472407d7b1219cfe.

Filed under Malware, Viruses Tagged with , , ,

New year gift from Amazon sent by a friend contains malware

January 19, 2012 Leave a Comment

MX Lab, http://www.mxlab.eu, intercept a few samples of a new trojan found in emails with the subject  ”A friend just sent you a new year gift from amazon” sent from the spoofed address “amazon seller <customer_amzon.com@correo.rgm.com.co>”.

The email has the following body:

Good day,
We are to inform you that someone just sent you a gift from amazon.com,
below is the recipt kindly open and track the order. Wishing you a lovely year ahead.
Best regards,
Amazon.com

The malware  is approx. 221 kB large and listens to the name file4402_fdp.exe.

The trojan is known as Win32:Malware-gen (Avast), Trojan.Win32.VBKrypt.imoz (Kaspersky), Artemis!798A4ABB09D7 (McAfee), Mal/Generic-L (Sophos).

At the time of writing, 24 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 40bbaa3e93e50dbdc2b615ae383c3c36c0ab358c311a39efaf6c1246b71ef903.

Filed under Malware, Viruses Tagged with , , ,

Spam in fake LinkedIn messages

January 19, 2012 2 Comments

MX Lab, http://www.mxlab.eu, has noticed a large spam campaign on behalf of the Canadian Family Pharmacy in fake LinkedIn messages.

The messages come the spoofed email address <member@linkedin.com> with the authors like:

Fenella  Macdonald via LinkedIn <member@linkedin.com>
Catriona  Bailey via LinkedIn <member@linkedin.com>
Susan  Jones via LinkedIn <member@linkedin.com>
....

Subjects in use:

Can i place your photo on my site?
Can i place your photo on our facebook page?
Can i place your information on our web page?
Can i place your video on our web site?
Can i place your video on my facebook page?
Can i place your contacts on our twitter page?
…..

Example of the email:

The URL in the message point to different web hosts and pages with an redirect HTML:

<html><head><title>Buy Viagra Online – Online Pharmacy</title><style type=”text/css”> a { font-size: 24pt; } </style><script type=”text/javascript”>var a = “hxxp://viagralevitratestosterone.com”;window.location = a;</script></head><body><center><h1>#1 Online Pharmacy</h1><br>Online DrugStore<br><a href=”hxxp://viagralevitratestosterone.com”>Buy Viagra Online</a></center></body></html>

In return, the redirect points to hxxp://viagralevitratestosterone.com.

Filed under Spam Tagged with , ,

Emails with subject “FDIC: About your business account” contains new trojan

January 10, 2012 Leave a Comment

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “FDIC: About your business account QHOFB1Z84963″ (the combination at the end will change with each email).

The email is send from the spoofed address “Federal Deposit Insurance Company <convened@fdic.gov>” and has the following body:

Dear Business Customer,
We have important information about your bank.
Please refer to attached file to view information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
Tue, 9 Jan 2012 12:11:34 +0100

FDIC USA Questions for FDIC?
Contact Us
Federal Insurance Company
3501 Fairfax Drive
Arlington VA 22226
877-275-3342

The attached ZIP file has the name FDIC_Information_About-your-business-account-JAN2012-223588.zip and contains the *** kB large file FDIC_Information_About-your-business-account-Jan-2012.exe (numbers will change)

The trojan is known as PWS-Zbot.gen.ma (McAfee), Trj/Zbot.L (Panda), Mal/Zbot-EZ (Sophos) and UDS:DangerousObject.Multi.Generic (Kaspersky).

At the time of writing, only 6 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5:4d9e26f544458084261d715a44d13e03.

Filed under Malware, Viruses Tagged with , , ,

Have a safe 2012!

December 29, 2011 Leave a Comment

Filed under MX Lab News

“I’m in trouble!” email malware distribution attempt

December 22, 2011 Leave a Comment

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fwd: I’m in trouble!”.

The email is send from various spoofed addresses and has the following body:

I was at a party, got drunk, couldn’t drive the car, somebody gave me a lift on my car, and crossed on the red light!
I’ve just got the pictures, maybe you know him???
Here is the photo

I need to find him urgently!

Thank you
Asmita

Fingerprint: c72d5b3c-af1af1a5

At the end of the message there is a fingerprint code but don’t be filled by that. This is not a real proof that this message is secure and safe to use.

The URL behind ‘Here is the photo’ will lead to a site where a redirect is a place to the malware payload. The URL can be identified quite easily because they are fairly long, will point to servers where blogs are hosted and quite often have what appears random characters and variables inside.

An example:

hxxp://newflight.info/wp-content/themes/twentyten/wvfou.htm?
GAJLZP=Y73TY9V&SS4C24F=1H9F0COJCVB2P8FAVJL&Z208W=116AEU0Z&XC8C
=3I1MPP6A2K42K&BO77Z=67QUD1YRE9QF11FV&04T9Z=4942YY7N&KMLD=HUKYAXRX7AUD5R4UK&"

These pages will continue with a redirect, embedded in an iframe HTML tag, to for example hxxp://cgredret.ru/main.php.

MX Lab recommend not to follow any of the embedded URLs.

Filed under Malware Tagged with , ,

Account Activity Notification with attached ZIP file contains a trojan

December 21, 2011 Leave a Comment

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Account Activity Notification 2419060820NJ” – the number and letters will vary.

The email is send from the spoofed address “Account Support” and has the following body:

An Account Activity Notification you created has detected that the
following transaction has posted as of 12/19/11. The detail information
associated with the transaction is as follows:

Account: XXXXXX5693

Transaction Description: Incoming Wire Transfer
Amount: $087,390.45
Type: Credit
Reference Info: 1453328649OS
Availability: Immediate

PLEASE REFER TO ATTACHED FORM FOR MORE DETAILS

CONFIDENTIALITY NOTICE: This electronic mail transmission may contain
legally privileged, confidential information belonging to the sender. The
information is intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution or taking any action based on the
contents of this electronic mail is strictly prohibited. If you have
received this electronic mail in error, please contact sender and delete
all copies.

The attached ZIP file has the name Account_Update_Notification_12192011-71714.zip and contains the 210 kB large file Account_Update_Notification_12192011.exe. The filenames will vary with each email.

The trojan is known as Trojan.Win32.Heur.Gen (ByteHero) or PWS-Zbot.gen.ma (McAfee).

At the time of writing, only 2 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 09707085eb9812202ba72a1c6f6c5f4a.

Filed under Malware, Viruses Tagged with , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 109 other followers