Ideas on a world financial crisis seem to be on everyone’s minds these days, even malware authors’. In a recent spamming operation, the Storm gang takes advantage of users’ fears of global economic problems.

Localizing the attack to citizens of the still hypothetical North American Currency Union, these spammed email messages promise more information on the present world financial situation as well as a supposed glimpse into plans regarding the implementation of amero – the currency of the said union.

Here’s a screenshot of an email:

The link leads users to the following site, which in turn leads to a Storm variant, detected by Trend Micro as WORM_ZHELATI.AHH:

Neither amero nor the North American Currency Union exists of course, as these remain ideas only, at least for today. Conspiracy theories abound, however; there are rumors about secret pacts between the United States, Canada, and Mexico, but these remain unsubstantiated. Last year, there were reports of the United States Treasury issuing amero coins, but this was later proven to be untrue.

Other than using these rumors to lure curious online users, the other and more effective social engineering technique used in this attack is the reference to the financial crisis, which looks like a genuine concern for all, especially now.

We strongly advise users not to click links in email messages. Accurate news always comes from reliable sources.

Interestingly, this is now the second instance of Amero and malware together. Online users, and this time even those outside North America, would remember Julie Amero, a substitute grade school teacher, who’s been a subject of international media coverage. Amero was convicted of impaired morals when a computer she was using when teaching began showing pornographic images. Amero was granted new trial, her defense centered on claims that malware caused the incident.

Update as of 22 July 2008, 4PM PST
An email sample submitted by Advanced Threat Researcher Paul Ferguson, was quite similar to the previous reported Amero spam, only with a different IP address. But upon further analysis by our threat researchers, the message was verified to be a spam sample of a new WORM_NUWAR variant. The link in the email message leads to the file amero.exe, that will be detected as WORM_NUWAR.ATK. Below is a screenshot of the said message:

Phishers are doing their homework. The conventional way is to ask users to update their accounts by asking them to click a certain link. A phishing email usually displays legitimate URL or a hyperlink. Upon clicking, the user will be redirected to the phishing Web site.

But now, there’s no URL seen in new phishing email samples we’ve discovered. They display instead a legitimate email address. This is to trick users that the recipient of the user name and password they will send is a legitimate user, but looking at the source code of the mail, it would go to an individual email address, the phisher’s. Here are screenshots of no URL phishing email messages:

Figure 1. Spam sample scaring users into “upgrading” their Earthlink accounts in order to avoid closure.

Figure 2. Source code of the same spam mail in Figure 1 shows that any replies sent is actually sent to the phisher’s email address. The email address in the source code is not the email address earlier.

Another variety of the no URL phishing email is the technique of displaying the actual form to fill up while hiding the recipient or the phisher’s email address. Here are two other sample email messages:

Figure 3. Spam sample asking the user to verify their email accounts immediately by providing certain required information.

Figure 4. Source code of the same spam mail in Figure 3 shows that any replies sent is actually sent to the phisher’s email address.

They seem to have discovered a way to allow their email to slip through typical URL scanning efforts (since there are no URLs to scan). However, Trend Micro users are covered by the Smart Protection Network, which blocks email messages like these by analyzing the body of the email. Furhtermore, this type of phishing attack is already detected by our antispam patterns.

Florabel Baetiong of the Trend Micro Content Security (CS) team reports of a type of fake email message circulating in the Net that contains a YouTube video link sharing notification, which supposedly comes from someone who wants to share an adult video with the recipient. Below is a screenshot of the said email notification:

Figure 1: Fake YouTube email notification

The said email message is written in Portuguese.

Once recipients click on the link, they are directed to a site where they are prompted to download a bogus Flash Media Player (see Figure 2), which is actually a suspicious file that Trend Micro detects as MAL_BANLD-1.

Note that files detected under this heuristic detection name exhibits characteristics typical to BANLOAD Trojan variants. And as one may know, BANLOAD Trojans are capable of downloading other malware and spyware on the affected system.

Figure 2: Purported YouTube Site where the user is prompted to download a fake Flash player

AS Pattern 6040 can now detect the said spam email.

This is the 3rd consecutive month where YouTube has been used by spammers and malware authors to entice users into clicking on a link to download a malicious file, and since then, TrendLabs has been documenting spam of this nature. You may refer to these blog entries, which has been outlined below:

• Info Stealer Trojan Arrives With News of Nardoni Case
• YouTube Addicts Beware