Websense ThreatSeeker® Network has been monitoring and tracking a recent wave of email attacks being spread and aimed at credit card users and holders.
The attack comes in the form of a short email with fairly detailed text alerting the recipient that their credit card has been blocked, and that they should open the attached file to find out more. The format seems old, with the content and attached file properties being the distinctive factor. With the recent attacks and data breaches of organizations in the press, this seems to be worth the buzz as personal details and credit card details were part of the information leaked.
Sample of email message.
A similar message opened with a text editor below shows the content has not changed much during the campaign. There is less the wording within the message body and the header information with regards to sender address or connecting IP's which are listed in this blog post.
A similar message opened with a text editor below shows the content has not changed that much during the campaign less the wording within the message body and header information with regards to sender address or connecting IP's which are listed in this blog post..
A noticeable repeating pattern, besides the salutation and some generic content such as ” Dear User|Client|Sir|Madam”, “WARNING|ATTENTION|URGENT”, is the attached file name. This example file format is a .bat file, which indicates it is a DOS executable batch file. Additionally, the file name format we have seen has always used the following format:
"id", "[5-7 digits]" and the file extention.
Further analysis into the file reveals this is also a Windows executable that contains a PE tag within the header information, as highlighted in the picture below.
Interestingly, the file properties also suggest to the untrained eye that this appears to have been originated from VMware. This ties in to the entire trickery of the author and also the re-use of the tactic and resources.
Although this appears to have originated from VMware, the attached file is actually not signed, as shown in the screen shot below (courtesy of VirusTotal).
The file is also VM-Aware, as the resulting execution of a download for fake AV only works if host based analysis is used (as opposed to a guest virtual machine).
Websense customers are protected from these threats by ACE, our Advanced Classification Engine.
Leave a reply