Spam emails are nothing new and unfortunately most internet users are confronted with them daily. Their purposes vary from simply promoting a site or product, to phishing and downright infecting a computer. Today we received a particular nasty, but at the same time convincing-looking email, claiming to be from eFax.
Convincing at first sight, but when looking a little closer it becomes clear that this is nothing more than an attempt to have the reader open a supposed PDF document.
When looking at the email source the following is listed:
From: "eFax Corporate" <B50EBABBC@verzekeringshuis.be>
Subject: Corporate eFax message
According to the (legitimate) eFax website FAQ:
When someone sends you a fax, the message is delivered to the email address on your account.
- Faxes will come from the email address message@inbound.efax.com.
- The subject line of your email will be “Fax Received From (Fax Number)”.
In other words, both subject and sender do not match with what we would expect of a real email from eFax. But there is more, lets have a look at the attachment, which according to the message is supposed to be a PDF document. After downloading and unzipping the attachment, this is what we get (see image).
This may look like a PDF file, but look at the icon. That is the default executable (.exe) file icon. A simple file properties check shows that this is indeed the case.
A .exe file trying to look like a .pdf file is by its very definition suspicious, which was confirmed when upon execution ZeuS was downloaded and loaded on the system. This trojan is known for its info-stealing capacity (especially banking information). Emsisoft Anti-Malware detects the associated files as Trojan.Win32.Zbot.
To remove this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to quarantine. Our experts in the “Help, my PC is infected!” Emsisoft Forum are always ready and willing to offer additional help. The removal service is absolutely free even if you are not an Emsisoft customer yet.
We have detected some more spam emails spreading within recent days that try to infect the user’s computer with a trojan. At this time some of emails are purporting to be from Craigslist, Vodafone, Apple, Verizon, and also LinkedIn. Here are some screenshots of the email.
Craigslist
IMPORTANT – FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
• PUBLISH YOUR AD
• EDIT (OR CONFIRM AN EDIT TO) YOUR AD
• VERIFY YOUR EMAIL ADDRESS
• DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL – you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
These spam emails are disguised as notifications from Craigslist. In the email if the victim clicks on the link “Click here”, it will lead to the following address:
- hxxp://intranet.ypfb.gob.bo/wp-content/uploads/report.htm
Like most malicious emails, if the user clicks the link the browser will redirect to a page that hosts an exploit such as BlackHole Exploit Kit and will only display text like “Please wait” as shown below:
The exploit script will make several requests to some addresses on this domain: paranoiknepjet.ru. If the machine has been successfully exploited it will eventually download and execute the malware file.
Here is a string found during our research, which includes some online banking site addresses obtained after the malware makes requests to the C&C server:
Emsisoft Anti-Malware (EAM) detects the trojan file as variant of Cridex (Trojan.Win32.Cridex).
Vodafone
In the next spam email, one of my colleagues receives a similar message, this time purporting to be from Vodafone.
Sie haben Zusatzdienstleistungen bestellt.
Sie finden die Rechnung in der PDF-Datei im Anhang.
Ihr Vodafone Team
Vodafone D2 GmbH
Adresse: Am Seestern 3, 42145 Dusseldorf
Sitz: Dusseldorf
Zentrale: Am Seestern 3, 42145 Dusseldorf
This time the email doesn’t contain any malicious links but instead includes an attachment with the name “VodafoneRECHN.pdf“, which is a PDF exploit. If the computer is successfully exploited, it will download malware from the following address:
- hxxp://www.warm-up.it/old_files/images/old/img.exe
- hxxp://www.lz-hbg.com/docs/docs/index.exe
Apple
The third spam email claims to come from Apple and informs the user of the need to change their password.
Dear Customer,
The password for your Apple ID has been successfully reset.
If you believe you have received this email in error, or that an unauthorized person has accessed your account, please go to iforgot.apple.com to reset your password immediately. Then review and update your security settings at appleid.apple.com >
Questions? There are lots of answers on our Apple ID support page >
Thanks,
Apple Customer Support
If you hover your mouse over the attached links, it will show the actual URL with different landing pages as follows:
- hxxp://stireadeharghita.ro/eDrwfBtB/index.html
- hxxp://stireadeharghita.ro/5PpnAepT/index.html
- hxxp://haquangstone.com/Ug9Rw3jA/index.html
All three links contains the same script that will contact the following addresses:
- hxxp://bossworkwear.co.uk/UzJdCfmo/js.js
- hxxp://damsdawn.com/RAsHidFy/js.js
Both of the JavaScript files lead to the same address:
- hxxp://204.145.80.216/search.php?q=3e1d86682675601a
Emsisoft Anti-Malware detects the dropped malware as variants of the ZeuS/Zbot trojan.
Verizon
The fourth email claiming to be from Verizon informs the victim about their bill payment.
Your bill payment has been applied to your Verizon Wireless account.
Here are the details of your payment confirmation.
Payment Amount: $1269.22
Payment Method: Visa Card
Manage Your Account Online
Clicking on the included link will take the victim to the following address:
- hxxp://trikonbaugkaraja.com/n1JJKeXj/index.html
This will download malware from the following address:
- hxxp://204.145.80.216/g.php?f=ba33e&e=1
EAM detect it as trojan Zeus.
LinkedIn
The last and maybe most frequently encountered spam email is a fake invitation from LinkedIn as shown in the image below:
The link in the email leads to the following address:
- hxxp://www.greenfactor.it/wp-content/themes/esp/page9.htm
This will download trojan Cridex from the following addresses:
- hxxp://uzindexation.ru:8080/forum/w.php?f=182b5&e=4
- hxxp://uzindexation.ru:8080/forum/w.php?f=182b5&e=1
In addition to these spam campaigns, we have also heard that millions of LinkedIn passwords have reportedly been leaked, as confirmed in a post on their blog:
If you are a LinkedIn user, you are strongly advised to change your password.
Most of the malware uses exploits like the BlackHole Exploit Kit or PDF Exploit, which targets computers with unpatched vulnerabilities. In other words, the operating system or software installed on your computer such as Adobe Flash, Adobe Reader, and Java is not updated or patched.
We strongly recommend always updating the operating system and the software you use to reduce the risk of malware infections.
We at Emsisoft are constantly improving our products, and are committed to delivering the best malware protection. A few weeks ago we released the new Emsisoft Anti-Malware 6.5 which includes a new feature that is highly relevant to this spam topic – an email scanner that is fully integrated with Microsoft Outlook and scans incoming and outgoing email attachments. You can find more details about all the new features of Emsisoft Anti-Malware 6.5 here.
At the moment there is no week without another spam campaign – this week we proudly present the US Airways ticket scam. The malware behind this scam is still the same as in the previous post, ZeuS a.k.a. Zbot, detected by Emsisoft Anti-Malware as Trojan-Spy.Win32.Zbot.
The following email subjects are being used:
- US Airways online check-in.
- US Airways online check-in confirmation.
- US Airways reservation confirmation.
- Confirm your US airways online reservation.
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After the check-in, all you need to do is print your boarding pass and proceed to the gate.
Confirmation code: 772129
Check-in online: Online reservation details
Flight
8507
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
Clicking on the malicious link will take you to this screen:
By analyzing the source of the page we can see that it tries to access four JavaScripts from another URL:
All of these JavaScripts contact the same BlackHole Exploit Kit server containing the following text only:
The purpose of this address is to load Java and Adobe exploits to infect the system. Emsisoft Anti-Malware detects this threat as Exploit.Java.Blacole and Exploit.JS.Pdfka.
Finally, once the system is exploited more malicious executables are downloaded to continue stealing sensitive account information.
ZeuS is one of most known banking trojans and spread very widely. We recommend you to keep your security software and Java and Adobe products updated.
No, this is not one of our job offers but rather one of the spam email subjects used by Zbot on behalf of CareerBuilder. Switching to plain text will reveal the real address as follows:
Hello,
I am a customer service employee at CareerBuilder. I found a vacant position at Security Finance Corporation that you may be interested in based on details from your resume or a recent application you made on our site. You can review the position on the CareerBuilder site here:
Chief Human Resources Officer
We wish you best of luck!
Other subjects used by this spam campaign:
- You might be interested in this vacant position.
- You might be interested in this position.
- Careerbuilder.com has found an open position for you
- Careerbuilder.com has found a vacant position for you
But nobody’s perfect, sometimes their social engineering fails and will just show a spam template like the following text:
Within the last days we received a lot of scam emails pretending to originate from the Mazon State Bank, Fedwire (Federal Reserve Wire Network), Hinsdale Bank & Trust Co. and many others. The majority of these emails contained information about a money transfer or the account being disabled.
Of course the emails are scam with the target to make victims clicking links that lead to malicious websites. The websites run a BlackHole exploit to infect the visiting computer with a trojan spy by exploiting some known vulnerabilities, e.g. MDAC vulnerability (CVE-2006-0003).
The malicious site additionally notifies the user to update the Adobe Flash Player. Yes, this is also a fake. If the victims clicks on that link, another malware will be downloaded. Emsisoft Anti-Malware detects it as variant of Trojan-PSW.Win32.Zbot and Trojan-PSW.Win32.SpyEye.
There are a lot of different variants of the scam emails, here are some of them:
Dear account holder,
I regret to inform you that Money Transfer sent by you or on your behalf was hold by Mazon State Bank.
Transaction ID: 1707018975
Current status of transaction: on hold
Please review transaction details as soon as possible.
Eddy W. Jackson
Treasury Management
Good afternoon,
Your Account: Business Account XXX
Wire Amount: $ 72,549.89
Transaction Report: View
The wire transfer will be processed within 2 hours. Please make sure that everything is as you requested.
ELAINE GALVAN,
Federal Reserve Wire Network
Dear Account Holder,
I regret to inform you that Domestic Wire Transfer initiated by you or on your behalf was hold by Hinsdale Bank Trust Co.
Transaction ID: 1703559264
Current status of transaction: pending
Please review transaction details as soon as possible.
Sally Thorpe
Accounting Manager
Hinsdale Bank Trust Co
Every Facebook user is familiar with the friend invitation via email on Facebook. But you should be careful, as our malware analysis team has detected that this is now a tactic being used to infect users with malicious software.
In this case we received a phishing email with the subject “Kaamil Mahmoud wants to be friends on Facebook.“. But when the user clicks the “Confirm Friend Request” link he will not be directed to facebook.com, but to the following address instead: hxxp://session49778166786155.downtohole.com/confirm/req/
The link leads to a fake Facebook page, showing the message “Your version of Macromedia Flash Player is too old to continue. Download and install the latest version of Adobe Flash Player”. When the user clicks on the link “Download and Install“, the browser will download a malware file named updateflash.exe – it contains the well known Trojan Zeus, also known as Zbot.
Unfortunately, not executing the file doesn’t mean the victim escapes infection, as the fake Facebook page will also load another address (hxxp://vampirefishsd.com) in the background. An exploit script that is part of the BlackHole Exploit Kit, runs on this website. The address of the exploit is placed in a hidden iframe.
Whois records show the vampirefishsd.com was registered just a few days ago.
Created On: 8/23/2011 3:38:46 PM
Expires On: 8/23/2012 3:38:46 PM
Last Updated On: 8/23/2011 3:38:46 PM
Domain Status:
Registrant [PAK11082372783-1]:
NA
Minette Bazin jones@mail13.com
3059 Pitfield Blvd
St Laurent, QC H4S 1H3
CA
Phone: 1.514817375 Ext:
Fax: 1.
The exploit script tries to infiltrate the victim’s computer by exploiting some vulnerabilities. One of them targets Java, allowing the author to run the Malware automatically without the user’s knowledge and without requiring any interaction at all.
We advise you to update your operating system and all applications regularly, including the security programs that you use. Second, be careful with suspicious emails: emails from Facebook should always contain your name and the links should, of course, point to the legitimate Facebook website.
Again, we would like to remind you. If you got an email that said come from the delivery company, please do not immediately to believe it. Because it could be a fake email that contains a virus.
Seems like they have started to rise again, since we are still receiving many reports of these spam emails within these days.
Here are some examples of spam email that was sent:
Dear Customer!
Your package has been returned to the DHL office.
The reason of the return is – Incorrect delivery address of the package!
Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the DHL office in order to receive the packages.
Thank you!
DHL
or like this:
FedEx Reminder – Invoice XXX
Dear Customer!
Please refer to your last parcel invoice copy attached.
Thanks a lot,
FedEx.
And here’s the “Post Express Service”:
Post Express Service. Get the parcel XXX
Dear Customer.
Your package has been returned to the Post Express office.
The reason of the return is “Incorrect delivery address of the package”
Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.
Thank you for your attention.
Post Express Service.
or:
Post Express! Get the parcel XXX
This is a post notification
Email notification ID:xxxxxxxx
Your package has been returned to the Post Express office.
The reason of the return is “Error in the delivery address”
Important message!
Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.
Thank you for attention.
Post Express Support
The email could be just contains an image like this one:
United Parcel Service notification #XXX
Dear customer,
The parcel was sent to your home address.
And it will arrive within 3 business days.
More information and the tracking number are attached in document below.
Thank you.
United Parcel Service
And still many more, because they send the email in various format.
From each attachments, Emsisoft Anti-Malware detects the attachment as a trojan Oficla, Zeus/Zbot, or SpyEye.
There’s no doubt, this social engineering technique is still effective to lure users to open attachments or click on the malicious links. On the recent sample that we got, when user executes the attachment, this malware will download a fake “shipping documents” from the following address, and then open it automatically:
- hxxp://mialedot.ru/3SEag1rs5f/document.doc
If you receive a suspicious email like this, please do not click the attachment, or the given links. You could contact the appropriate company to make sure, or just forward the email to us to be analyzed.
More information:
DHL - http://www.dhl.com/en/express/resource_center/fraud_alert.html
FedEx - http://fedex.com/us/security/prevent-fraud/index.html
UPS - http://www.ups.com/content/us/en/resources/ship/fraud.html
Join Emsisoft Facebook page, and don’t forget to follow our Twitter to keep you stay update.
