We discovered a series of really nasty spam mails that have a lot to offer. There are various types of it, with different subject, seemingly connected to the geographical areas they are spread in. Let’s have a look at an email we discovered in Poland:
More email examples can be found at the bottom of this article. We’ve seen mails sent to computer users all over the world.
Primary Hints to identify the spam
A person who has no connection to the bank mentioned in this mail does not need to be concerned about a rejected transfer anyway. And if someone has a contract with the bank, then one should check the obvious factors:
First of all, we can see forged sender addresses: icba.org belongs to the Independent Community Bankers of America and they would not send such an important email referring to mortgage issues. Second of all, a bank or official institution would not begin the mail with “Dear Account Owner” as this is not at all personal. Thirdly, the Transaction ID is a random number and will most probably not match any real transaction you made, if you are a customer of the bank.
The malware attack
But all this is child’s play with respect to what is behind the link in this mail: In case someone opens the link, a website opens and tries to convince the visitor to download an update for Adobe Flash Player – Obviously, this update is a fake. Our analyses show that it contains ZeuS malware and we currently detect it as Gen:Variant.Kazy.44360.
But the attack is not over, yet. Even if the user realizes, that this update offer is fake and does not follow the specious advice, the website itself also is potentially dangerous: The authors included a .php file which hides an obfuscated javascript. This javascript launches an applet which works as a drive-by-downloader. It tries to exploit the user’s computer by attacking a vulnerability described in CVE-2010-0840. Attackers are still using this old vulnerability, which has been fixed already – we’ve reported about it before in our blog and press releases.
If the exploit works, the applet downloads further data to the user’s computer, who is now a victim. The downloaded file, a .dll in this case, is the actual malware and it also wants to infect the user with ZeuS!
So, we have got a hybrid website, which tries to infect the visitor with social engineering techniques by offering an allegedly necessary software update and it also uses the technical means to initiate a drive-by-infection! Double trouble!
Some URLs we discovered only use the drive-by-infection attack vector, but, obviously, that doesn’t mean that they are less dangerous!
Advice
- If you receive an email from services you have never used, ignore the email, delete it, but under no circumstances open attachments or click on URLs.
- Never disclose any personal information and/or bank data – either via e-mail or on dubious websites.
- Enter website addresses with user logins manually or use your browser’s Favourites function.
If you want to read more about the scamsters’ tricks regarding emails, feel free to read our G Data whitepaper about “dangerous emails”, currently available in German, French, Dutch and Italian – more translations coming soon.
You can also check out our monthly Malware Information Initiative statistics to see the developments in terms of recent malware threats.
- Attached Files:
money_mail_anonym_1_01.PNG- money_mail_anonym_2.PNG
- money_mail_anonym_3.PNG
Leave a reply
