Shopping Scam E-mail Delivers Bot-like Trojan

Director of PandaLabs, Luis Corrons studied one shopping scam electronic mail his wife received that provided elaborately about her so-called Internet-based buying of an overtly antique Brad jacket in extremely fine whole grain leather, so published InfoSecurity dated February 16, 2012.

However, as per Mrs. Corrons, she never bought the mentioned jacket; indeed, she hadn't even made any purchase from that online shop. So Luis Corrons re-examined the e-mail and realized that the message wasn't legitimate. Often cyber-crooks utilized such social engineering tricks, nonetheless, the related e-mails weren't so detailed, he blogged and Pandasecurity.com published it on February 16, 2012.

Beginning with the normal header: "CULT Order Configuration (CULT78318)," the phishing electronic mail after thanking the recipient because she (apparently) bought with CLUT, requested her to see the details attached underneath for making sure her order was right. Thereafter it states that incase of any clarifications regarding her order, she may get in touch with the online store and let 3-5 days to get her order delivered. Meanwhile, she can view the order through a given web-link, while make the payment through debit/credit card.

But Corrons said that upon clicking the web-link, the user landed on another place, and since the message was an html one as also the actual URL wasn't visible inside the text; it made the user believe he'd view the originally placed order.

Specifically, the web-link instead of leading onto the online-store takes the user onto a different website, which directs him for taking down a file called CULT78318.exe. Notably, this filename again uses the Internet shop's name along with the mentioned order's code. There's also a sign of Adobe for making the file look like a PDF document instead of an executable.

Actually, there's one extremely harmful Trojan having the functions of a bot that comprises a keystroke logger for filching banking information and passwords.

This Trojan, when planted, opens a registry for making sure it'll be run whenever the PC boots up. The registry is given the moniker "Windows Defender" to make it appear like legitimate software. Furthermore, for countering firewall, the Trojan changes the registry's values too.

Related article: Spamhaus’ List Of 10 Worst International Spammers

» SPAMfighter News - 2/21/2012