The Latest in IT Security

Shopping in my sleep? No, just malware.


I received my confirmation email from Athleta so quickly, I didn’t even remember placing the order. But I was intrigued by the possibility of my having ordered a long list of great-sounding swimwear and summer clothes from Athleta without even realizing it. Am I that addicted to e-commerce that I can shop in my sleep? Or was I having a shopaholic blackout? Perhaps it was time for an intervention.

To dig a little deeper into the issue, I visited the Athleta site (NOT by clicking through the link in the email, after all I do work for a security company). How would the Shirrendipity halter tankini listed in the confirmation email look on me? Hmm… XL does seem a little bit too big, but, who knows, maybe their sizes run small… I’m really trying to convince myself there is a tankini on its way to me that I don’t remember ordering.

If you haven’t figured it out by now, this email was NOT sent by Athleta. It was sent by a purveyor of malware, trying to get me to click on one of the hyperlinks within the message. As part of my regular workweek, I see a lot of spam, malware and phishing emails. But this email message looked SO good, so convincing — down to the sporty shirred swim skirt in the order list, that quite frankly, I could have ordered — that even I was fooled for a minute. Even though I had never heard of the store. I even went to far as to type in my email address in the “forgot your password” wizard at, to see if maybe, just maybe, I had set up an account there & ordered something without realizing it, since after all, there are lots of e-commerce partnerships these days.

There is always some detail that is a little “off” on a phishing email, or as in this case, a targeted malware message, and I did notice the sizing, and of course the fact that I didn’t remember ordering from the store. The message was so good, however, that I was even willing to overlook these tiny issues. But for the suspicious among us, another detail is a dead giveaway – the link in the email doesn’t match the link seen when you hover over it with the mouse. Even though “” looks like it could be a legitimate Athleta domain, the visible hyperlink should match the link it’s actually taking me to, so this is another hint that it’s not a real confirmation email. No legitimate business would include text that appears to be a hyperlink and stealthily hide the real hyperlink in the source code.

Once I realized I hadn’t been sleep-shopping, I relaxed and sent the message to my colleagues in the virus and spam labs and asked them: What would have happened if I had clicked on the link? The answer isn’t pretty (nowhere near as pretty as the Venetian Blue All Terrain Skirt I also supposedly ordered).

Clicking on the “order status” or “return policy” URLs in the email message downloads a zip file which includes the executable “invoice_athleta_order—.exe”. If opened, the first thing this malware does is determine my geographical location. Whatever happens after this may depend on the location since the results are sent to a control server. The malware then copies or downloads several other pieces of malware: “google.exe”, “googles.exe”, “googletools.exe” and “SOD.exe.” Note that the names of the files sound legitimate, so even if I notice them on my computer, I probably won’t be suspicious.

“googletools.exe” downloads a configuration file with a list of sites and URLs. Browsing to these sites will trigger another bit of malware, most likely logging my keystrokes or taking screenshots in order to steal my login usernames and passwords. Among the sites that trigger this behavior are:

  • AlertPay
  • Amazon
  • AT&T
  • Bank of America
  • Best Buy
  • Black Hat SEO Forum
  • CHASE Home
  • Citibank
  • Craigslist
  • Facebook
  • Fifth Third Bank
  • Go Daddy
  • Google Checkout
  • Hack Forums
  • Harris Bank
  • IBackup
  • IMVU
  • LastPass
  • Liberty Reserve
  • Lockerz
  • Moneybookers
  • Myspace
  • Netflix
  • Newegg
  • Payment Gateway (
  • PayPal
  • PlayStation
  • PNC Bank
  • RapidShare
  • RoboForm
  • Target
  • TCF Bank
  • TheVault
  • T-Mobile
  • U.S. Cellular
  • Verizon
  • Warez-BB
  • WarriorForum
  • WebMoney
  • Western Union
  • World of Warcraft

In other words, almost every popular bank, e-commerce site, cell phone provider, etc. where I might enter a credit card or banking credentials is fair game for this nasty malware that tried to target me through my unfulfilled wish to own the perfect tankini.

They say a bathing suit is a slim layer of protection against the sun’s harsh rays. In this case I was barely a Lycra thread away from getting a serious malware infection.

Well, looking on the bright side, this malware-laden email got me to visit the real So why didn’t I order anything from Athleta? Maybe I will.

Email text:

Dear Rebecca Herson  

Thanks for shopping at Your order number is #15YNB0G. Please print this page or write this number down, for future reference. This order should arrive within 9 business days.

You may check the status and order information of your order by:–G


Size Unit
Qty Total Return


Sporty Shirred Swim Skirt
XL 44.00 1 44.00 Mail only
Shirrendipity Halter Tankini
XL 59.00 1 59.00 Mail only
Sporty Shirred Bottom
Garden Green
XL 42.00 1 42.00 Mail only
Shirrendipity Halter Bikini
Garden Green
DCUP 44.00 1 44.00 Mail only
Doran Dress
XL 69.00 1 69.00 Mail only
Double Dutch Tee
Venetian Blue
XL 54.00 1 54.00 Mail only
All Terrain Skirt
16 59.00 1 59.00 Mail only


Summary of Charges


Order Subtotal: 371.00
Shipping & Handling: Free
Tax: 28.64
Order Total: 399.64


Payment Info




You will receive a shipment notification email message as soon as we send your order. We may also send you additional updates regarding the status of your order. This email is for your records only and cannot be used as a receipt for in-store returns. To receive a full refund, you must bring the invoice included in your shipment to the store.

New: Gap, Old Navy, Banana Republic, and Piperlime return policies have changed. Return merchandise within 45 days of the original online purchase date. To view the entire return policy, CLICK HERE.

Sincerely, Customer Service




  1. Visitor September 30, 2011

    If you have registered on MagentoCommerce, that’s where the email came from.

    Chat transcript:
    Visitor: Can you remove my account and email address from your system please
    Willeke: hi
    Visitor: hello
    Willeke: of course, can you please tell us what is the issue?
    Visitor: I want you to remove my email address and account.
    Willeke: yes, is there any special reason for this? just for our information?
    Visitor: Yes I am receiving spam email after I joined your site
    Willeke: from
    Visitor: exactly
    Visitor: see you know it
    Willeke: it s a global issue and we are on top of it
    Visitor: You either sold my email address or your security is shit
    Visitor: can you just close my account pls
    Willeke: our netops already detected the malware and blocked the issuer
    Visitor: I dont care
    Visitor: just close my account
    Willeke: ok open a ticket please
    Willeke: we need a ticket

    Do not use any Magento product. Its fucked up.

  2. mauri September 30, 2011

    As a stupid I clicked on the link … I receiveve only a blank web page and seems the nothing is downloaded .
    I searched on my pc the file “invoice_athleta_order—.exe” but seems the there is not any file like this.

    You wrote that ONLY clicking on the file the malware is activated, can you confirm this?

    Any other suggestion ?

    THX a lot.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments