Most people want to stay on top of their bills, and not pay them late. But recently, unexpected emails claiming an overdue invoice have been showing up in people’s inboxes, causing anxiety and ultimately a malware attack. Read this report from the Avast Virus Lab, so as a consumer you’ll know what to look for, and as a systems administrator for an SMB or other website, you will know how cybercrooks can use your site for this type of social engineering scam.
Recently we saw an email campaign which attempted to convince people to pay an overdue invoice, as you can see on the following image. The user is asked to download an invoice from the attached link.
The downloaded file pretends to be a regular PDF file, however the filename “Total outstanding invoice pdf.com” is very suspicious.
When the user executes the malicious file, after a few unpacking procedures, it downloads the final vicious payload. The Avast Virus Lab has identified this payload as Pony Stealer, a well-known data-stealing Trojan which is responsible for stealing $220,000, as you can read here.
We followed the payload URL and discovered that it was downloaded from a hacked website. The interesting part is that we found a backdoor on that site allowing the attacker to take control of the entire website. As you can see, the attacker could create a new file and write any data to that file on the hacked website, for example, a malicious php script.
Because that website was unsecured, cybercrooks used it to place several Pony Stealer administration panels on it, including the original installation package, and some other malware samples as well. You can see an example of Pony Stealer panel’s help page written in the Russian language on the following picture.
Avast Virus Lab advises:
For Consumers: Use extreme caution if you see an email trying to convince you to pay money for non-ordered services. This use of “social engineering” is most likely fraudulent. Do not respond to these emails.
For SMBs: If you are a server administrator, please secure your server and follow the general security recommendations. As you learned from this article, you can be hacked and a backdoor can be put in your website allowing anyone to upload whatever he wants to your website. Protect yourself and your visitors!
SHA’s and detections:
Avast detections: Win32:Agent-AUKT, Win32:VB-AIUM
I would like to thank Jan Zíka for discovering this campaign.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
Christmas time is essentially connected with buying presents. There’s a lot of stuff to be done and a lot of opportunities to buy a present in an e-shop to save time. Who doesn’t know someone who buys a Christmas gift online?
The malware authors know and are very keen to take advantage of it. We see scam emails containing order or delivery details every day and they have a lot of common. In fact, it’s nothing new. Such methods are used constantly during the year, it’s nothing special connected to Christmas. However, Christmas is the reason why many people might be fooled. Let’s look at them in detail.
Imagine you are customer waiting for a present to be delivered. You get anxious and check your email waiting for order details. You are probably the most vulnerable at this time. Then you get an email from DHL, the well-known parcel delivery service, with a notice saying that the shipping details are in an attachment. In that moment of relief, you click on the email attachment. It turns out to be a zip file containing a file named DHL-parcel.exe. The strange thing is the file extension looks like regular PDF file because it has the same icon. In fact, it is malware.
A low-tech type of identity theft is threatening Facebook users in South Africa. Facebook “cloning” has been around for years, but has had a revival this past week. We learned about it in a personal way – the brother of an Avast colleague, Richard B. from South Africa, had his profile cloned and notified Richard.
The way it works is that a cybercrook copies the victim’s profile photos, then uses them to create fake accounts. Then, using the victim’s details, a friendship request is sent to friends. The clue that something fishy is happening comes when you receive the request, but thought you had already ‘friended’ that person. One Facebook user explained in an article on ENCA.com that he received a friendship request from his sister while she was sitting next to him.
Cloned accounts can be used to send spam messages, initiate scams, and possibly steal personal information that could be used for more serious identity theft. In the recent cases, there are reports that once the request has been accepted, the scammer starts soliciting money from ‘friends’.
It can also be used for social media sabotage. An experiment conducted in 2011 showed that the implications of this type of social engineering range from mere trickery to damaging reputations. You see, through the ‘trusted friends’ password recovery feature, it is possible that someone can reset your password and gain access to your account.
Check privacy settings and be cautious about who you friend and what you share. This video explains about the recent attacks and how to avoid your profile being cloned.
edit: changed image