Scams Surging Again with Old Tricks; Visa Cards Used

Jay Decenella, IT audit expert
August 19, 2011 /

A wave of scam emails has spread across the world last week claiming to have come from Visa Customer Services, which is the same payload that spammers used in earlier scam campaign according to security vendor McAfee.

“Looks like the spammers ran out of new binaries,” said McAfee’s Arun Pradeep.

The scam email was found to contain the subject line: “Your credit card has been blocked – Central European (ISO).”

McAfee noted that the mail included the malicious executable “VISA_complete_NR.doc” zipped into a file with a random name.

The malware was packed with another executable that was a fake antivirus program.

“At McAfee we observed that this same payload has been distributed across the world with different names using different scam campaigns,” Pradeep said.

The dropped malware randomly chooses the rogue AV payload (XP Security 2012 or Personal Shield Pro) from the remote server.

McAfee said these binaries did not have the icon of a document file unlike earlier variants, so they were not covert enough to hide from users.

“Our cloud-based Artemis technology revealed that this scam was a global target.”

On the other hand, M86 Security Labs observed that a “massive” surge in spam emails which sprouted April this year has gone worse this week.

“From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October,” Rodel Mendrez of M86 said.

According to the security firm, majority of the malicious spam comes from the Cutwail botnet, multi-faceted Pushdo botnet that sends a wide range of campaigns promoting pharmaceuticals, designer ripoffs, software and more, probably reflecting its multiple customers.

It sends spam emails with malicious attachments, usually within a Zip file, with amazing regularity.

According to M86, it used to use celebritry names, such as Angelina Jolie, as hooks to entice users to open the attachment.

More recently the botnet has switched to fake invoices. Pushdo also sends malicious campaigns exploiting social networking brands, such as Facebook.

M86 describes the botnet as actively distributing phishing emails targeting customers from a wide range of financial institutions. Its somewhat slower than some of the more recent spambots at sending spam.

Mendrez said: “This is an epic amount of malicious spam. After multiple recent botnet takedowns, cyber criminal groups remain resilient, clearly looking to build their botnets and distribute more fake AV in the process. It seems spammers have returned from a holiday break and are enthusiastically back to work.”

 

Share your opinion