At the moment there is no week without another spam campaign – this week we proudly present the US Airways ticket scam. The malware behind this scam is still the same as in the previous post, ZeuS a.k.a. Zbot, detected by Emsisoft Anti-Malware as Trojan-Spy.Win32.Zbot.
The following email subjects are being used:
- US Airways online check-in.
- US Airways online check-in confirmation.
- US Airways reservation confirmation.
- Confirm your US airways online reservation.
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After the check-in, all you need to do is print your boarding pass and proceed to the gate.
Confirmation code: 772129
Check-in online: Online reservation details
Flight
8507
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
Clicking on the malicious link will take you to this screen:
By analyzing the source of the page we can see that it tries to access four JavaScripts from another URL:
All of these JavaScripts contact the same BlackHole Exploit Kit server containing the following text only:
The purpose of this address is to load Java and Adobe exploits to infect the system. Emsisoft Anti-Malware detects this threat as Exploit.Java.Blacole and Exploit.JS.Pdfka.
Finally, once the system is exploited more malicious executables are downloaded to continue stealing sensitive account information.
ZeuS is one of most known banking trojans and spread very widely. We recommend you to keep your security software and Java and Adobe products updated.
Within the last days we received a lot of scam emails pretending to originate from the Mazon State Bank, Fedwire (Federal Reserve Wire Network), Hinsdale Bank & Trust Co. and many others. The majority of these emails contained information about a money transfer or the account being disabled.
Of course the emails are scam with the target to make victims clicking links that lead to malicious websites. The websites run a BlackHole exploit to infect the visiting computer with a trojan spy by exploiting some known vulnerabilities, e.g. MDAC vulnerability (CVE-2006-0003).
The malicious site additionally notifies the user to update the Adobe Flash Player. Yes, this is also a fake. If the victims clicks on that link, another malware will be downloaded. Emsisoft Anti-Malware detects it as variant of Trojan-PSW.Win32.Zbot and Trojan-PSW.Win32.SpyEye.
There are a lot of different variants of the scam emails, here are some of them:
Dear account holder,
I regret to inform you that Money Transfer sent by you or on your behalf was hold by Mazon State Bank.
Transaction ID: 1707018975
Current status of transaction: on hold
Please review transaction details as soon as possible.
Eddy W. Jackson
Treasury Management
Good afternoon,
Your Account: Business Account XXX
Wire Amount: $ 72,549.89
Transaction Report: View
The wire transfer will be processed within 2 hours. Please make sure that everything is as you requested.
ELAINE GALVAN,
Federal Reserve Wire Network
Dear Account Holder,
I regret to inform you that Domestic Wire Transfer initiated by you or on your behalf was hold by Hinsdale Bank Trust Co.
Transaction ID: 1703559264
Current status of transaction: pending
Please review transaction details as soon as possible.
Sally Thorpe
Accounting Manager
Hinsdale Bank Trust Co
Hit singer Amy Winehouse has been found dead at her home in Camden, London on Saturday 23 July. Certainly, this tragedy caused a stir of her fans; and unfortunately it was easy to predict that such sad news would be used by cybercriminals. On Facebook we found quite many scam messages about a death video of Amy Winehouse.
If the user clicks the link, as for most scams that exist on Facebook, he will be taken to a survey page. The user now has to complete the survey before he may proceed. This is one of the blackhat tricks to earn money, because every time the user completes the survey the criminals will get a commission. Not only that, usually the user is also required to share the message with his Facebook friends, so it will furthermore be spread around.
In addition to surveys and earning money one other purpose of these Facebook scams is to get “Likes” from as many Facebook users as possible to promote a site, blog or even to increase the number of views of a YouTube video.
This is another example of the scam on a non-English page:
Users have to click the “Like” button to continue:
Users have to share this on their wall with the default text “omg :((( !!! F*ck!”:
“KLIKNĚTE NA TENTO ODKAZ” in English: “Click on this link”.
After users click on that link, they will be forwarded on another site with text “PRE SPUSTENIE VIDEA MUSITE KLIKNUT NA VSETKY PACI SA MI TO!!”, in English “To run the video, you must click on every Like button!”:
Among a lot of various scam emails about “post express“, we found one email that is unfamiliar, and pretty sure this is a different malware, with subject “Available for pickup“, and included an executable attachment file, “Sent.exe“.
Dear Sir
I have just returned and received your message — it is 2:25 am in Vancouver.
I have received a communication from your partner (I am forwarding it separately) and am waiting for an official translation that I will then take up with my colleagues.
Hence, the funds has been sent via western union and money gram respectively
REF: 9310 5521 Amount: 3000 CAD
MTCN: 764 327 9355 Amount: 2000 CAD
The payment receipt is attached in a single file
I hope to hear from you soonest
Both payments are available for pick up
Sebat
We try to dig it deeper with the attachment, and found out that this is a Keylogger. From the decrypted configuration file, we can see the used SMTP server and the target email address for sending the report.
All recorded keystroke will be send to the target email address, including your IP, computer name, and the user name.
Keep update your Emsisoft Anti-Malware, and always stay alert and be cautious with everything you receive.
Malware continues to attack Facebook users. This time, the malware is able to spread through Facebook chat messages by sending a message along with a malicious links to the user’s friends.
The message looks like this:
hahahh Foto :D hxxp://apps.facebook.com/glombotke/photo.php?=1012323960
The link will lead to the malicious Facebook application page.
With the social engineering techniques, the malware author trying to deceive users by displaying a fake screen says that “Photo has been Moved.“.
If the “View Photo” is clicked, then it will download the malware file.
Once the users run the file, another window will be opened, and leads to the MySpace site (http://www.myspace.com/browse/people) or Google. In the background, when the user accessing his Facebook account, the malware will back into action by sending chat messages to the user’s friends.
Then, next if the user wants to login again, this malware will block the login page, and display a “scam survey” message with the link “Win an Apple product“. If the link is clicked then the user will be faced with a page that contain ads or affiliate links.
Another variant will redirect to the other scam survey page and shows a birthday message box when the user open the Facebook:
At the time the user return to the login page, he will find that his Facebook account has been suspended, with a message:
Your Account as been suspended!
The suspend will be released after 80 minutes
The suspend will be disabled only if you fill out one survey!
Please wait 80 minutes and tray again.
Actually, the account is not really suspended, it’s just a fake message created by the malware.
Emsisoft Anti-Malware detects this malware as Worm.Win32.Yimfoca!A2 or Trojan.Win32.Scar!IK. The Virus Total results are quite low at the moment, only 13 out of the 42 antivirus. On the another variant the results much lower, only 3/43.
So, always update your Emsisoft Anti-Malware, and always stay alert and be cautious with everything you receive.
Join Emsisoft Facebook page, and don’t forget to follow our Twitter to keep you stay update.
There are quite a lot of people who get an email from Amanda Lee (amanda.lee@blackberry.co.za or amanda.lee@blackberry.com) which says she is the Marketing Manger of the BlackBerry. According to the message, the BlackBerry will give a mobile phone for free by simply forwarding the email to several people; as also reported by Hoax-Slayer.
In addition, in recent days as well, again, we receive emails which saying comes from Western Union, with the subject “Thank you for using Western Union!”
The email sent by someone who is located at “….@att.net “. In the “reply-to” also there is another different email address, “carlosvillar.union@gmail.com”. In that email there is a file attachment with the name “Thank you for using Western Union!.doc“, which contains the following:
Dear Sir / Madam,
For 156 years, Western Union has been connecting people. At Western Union, there’s so much more than money you’re sending. Every sender and receiver is important to us. To celebrate our 156th anniversary, we’re rewarding our customers with prizes of USD60, 000.00
Because you sent money on-line, from an agent location or received money through Western Union, you’ve been selected.
However, you are required to forward the following information for immediate payment of your USD60, 000.00
1.) Bank Name:
2.) Beneficiary:
3.) Account Number:
4.) Bank Address:
5.) Swift Code or Routing Number:
6.) Your Mobile Telephone Number:
You will be contacted by a Western Union in the next 24 hours as soon as you forward your required information and you will receive the USD60, 000.00 prizes immediately from us.
Save time, send money, earn rewards! Western Union is a service people trust.
On its Web site, Western Union is already telling a good education to every customer to be careful when getting a suspicious e-mail:
Another fake email that also widespread are from UPS, DHL or FedEx. As we mentioned in our previous post about the fake email from FedEx, which contains Trojan-Dropper.Win32.Oficla, or Sasfis.
All of these scam emails has long been reported, but still hang around. For that, again, we recommend to always be careful when you receive a suspicious email, do not immediately click on links or open the attachments, find out the truth first. Also you can forward the suspicious email to us, and we will be happy to analyze it.
