After spam runs related to UPS, FedEx, and Western Union, another form of invoice spam strikes again!

We caught a new invoice spam that is purportedly from WorldPay, a division of the Royal Bank of Scotland that specializes in handling secure online payments from all over the world.

The spammed email message informs users that their transaction with Amazon Inc. has been successfully processed by WorldPay.

The said email contains a .ZIP file, which holds a malicious file named WorldPay_NR9712.exe. This file is detected by Trend Micro as TSPY_ZBOT.BEO through the Smart Protection Network.

TSPY_ZBOT.BEO downloads a configuration file from a remote site. This file contains a list of bank-related Web sites, which the spyware monitors in the Internet browser address bars. 

The URLs listed in the downloaded configuration file may change at any time. As of this writing, the file contains links to the legitimate sites of Bank of America.

When a user accesses any of the listed URLs, the spyware logs keystrokes to capture data entered in login boxes, including sensitive banking information such as user names and passwords. The gathered information is saved in a file, which is then sent to a remote site through HTTP post.

Here are previous reports of invoice spam:

• UPS Spam: Trojan Courier of Choice
• Bogus FedEx Notifications: New Malware Courier of Choice
• Invoice Spam Shifts to Western Union
• Certificated Invoices – Exploiting LNK extension
• iTunes Invoices and Valentine’s Ads Conceal Pharma Spam

After the World Health Organization raised its global alert level on the spreading swine flu virus, Spammers quickly used this event for their spam campaigns. Early this morning, we have seen spam samples using Swine flu worldwide! or Swine flu outbreak! as their email subject. Spammers are using this social engineering technique because having the latest news as the mail’s subject greatly increases the chance that the recipient will open their spammed messages.

The spammed messages content is not about the swine flu virus but a short message that is related to meds spam with a link that directs you to an online store which sells penis enlargement pills.

The messages are already blocked by the Smart Protection Network. Users are advised to ignore simiar messages that may arrive in their inbox and opt to choose more reliable sources about swine flu. The pandemic has reportedly claimed 149 lives in Mexico, which is the epicenter of the outbreak, while more and more cases are being reported from other parts of the globe.

They say the Internet is making the world smaller. Whether that’s the case for the rest of us is debatable or not, but for one group of people it’s definitely true: spammers.

Consider this new sample that our team came across recently:

It appears to come from the Brazilian portal site Terra. That, in itself, makes it a little unusual as attacks of this type usually target more well-known global portals such as Yahoo and Google.

The spam claims that someone sent a message and that the user can access the message and photos by clicking on the link provided on email itself. Note, too, that the bottom of the e-mail contains a claim that the message has been scanned by security software. It tries to make users believe that the e-mail is clean of malign code — which, no surprise, it isn’t.

When the user clicks on the link, it redirects and downloads a malicious file “AlbumPicasa.scr,” a Trojan which is detected as TROJ_DLOADR.VIA.

This Trojan connects to URLs to download files named “WindowsUpdate.exe” and “rootx.exe” which are a TROJ_BANKER variant and another TROJ_DLOADR, respectively. BANKER variants are infamously rampant in the Latin American region, where users consider online banking a major convenience–a trend cybercriminals did not miss.

Trend Micro Smart Protection Network blocks spam–protecting users from encountering this threat.

Nikki Catsouras

Let’s face it — cybercriminals never squander an opportunity to take advantage of potential victims’ curiosity, no matter how unethical, sick & twisted, or unscrupulous.

Look at the tragic death of film star Heath Ledger. His untimely death was immediately used by cyber criminals to lure victims into their malware lair.

But this is much, much worse.

On the heels of a Newsweek article published yesterday which discusses one family’s efforts to sue the California Highway Patrol, et al, for leaking pictures of their dead daughter’s mangled body in grisly car crash onto the Internet. They have also hired a professional  “reputation defender” to track down and remove the shocking, unauthorized, leaked, and grisly pictures of Nikki’s body at the crash site.

Truly, this must be a painful and emotionally exhaustive  issue for the Catsouras family, even after almost three years after her death.

Now, we now find that Russian cyber criminals are attempting to exploit potential victim’s sick curiosity by registering a domain and using it distribute malware to people who visit the site and want to view a “video” of this horrendous event.

These criminals have also apparently done some extensive SEO (Search Engine Optimization) work, too, since a search for “Nikki Catsouras” reveals the malicious website currently at the number one spot.

Trend Micro has found several different variants of malware located at the specific domain in question — everything from Rogue AV, and AUTORUN Worm,  and new Zlob malware.

This domain/URL  is already blocked by the Trend Micro Smart Protection Network, and this particular Russian Hosting Provider has a colorful history as being very friendly with Russian/Ukrainian cyber criminals lately, post- Russian Business Network (RBN):

% Information related to ’94.103.88.0 – 94.103.95.255′

inetnum: 94.103.88.0 – 94.103.95.255
netname: MCHOST-NET
descr: servers
country: RU
admin-c: MI1667-RIPE
tech-c: MI1667-RIPE
status: ASSIGNED PA
mnt-by: MCHOST
mnt-routes: MERCUR-MNT
source: RIPE # Filtered

role: McHost.Ru Inc
address: Michurinskiy av., 27 K5
address: 117607
address: Moscow, Russia
remarks: McHost.Ru contacts
remarks: —————————————————
remarks: SPAM and Network security issues: abuse@mchost.ru
remarks: Customer support: support@mchost.ru
remarks: General information: info@mchost.ru
remarks: —————————————————
e-mail: info@mchost.ru
admin-c: RSV24-RIPE
tech-c: RSV24-RIPE
mnt-by: MCHOST
nic-hdl: MI1667-RIPE
source: RIPE # Filtered

% Information related to ’94.103.88.0/21AS48172′

route: 94.103.88.0/21
descr: McHost servers
origin: AS48172
mnt-by: MERCUR-MNT
source: RIPE # Filtered

My advice: Steer clear of anything located in McHost. They are starting to gain a notorious reputation as a criminal haven for Russian/Ukrainian cyber criminals. Sure, there may be legitimate domains, etc., hosted by McHost, but their reputation as a legitimate hosting provider is becoming very questionable.

Please note — this is NOT THE ONLY hosting provider being used by this criminal operation’s endeavors, in fact, these cyber criminals are currently using hosting services in The Ukraine, Latvia, The Netherlands, Germany, The UK, and the United States.

And this particular incident illustrates that they have no morals or ethics.

Trend Micro security researchers & analysts work overtime tracking these threats, so you can rest assured — we are on it.

Hat-tip: Daniel

Every year, April 15th marks the deadline for the submission of tax returns in the US, and with it comes the now-classic IRS (Internal Revenue Service) scam.

Scammers are on the hunt for those who were not able to file their tax statements yet. Knowing how busy people are these days, scammers have taken advantage of this and sent out scam mails that will lure their prey into giving them their personal information. They have even taken the initiative to provide their victims the very form that they have to fill out.

These cybercriminals target non-resident aliens in the United States specially since they are the ones who are likely to file a “Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding.” However, the said certificate, FORM W-8BEN, which is attached to the mail, has been altered. There are a number of personal inquiries that are not needed for the real form, for instance, bank account numbers.

The scammers may be taking their chances since they are never sure if they have indeed sent this email to a non-resident alien or not. The recipient may simply delete the email and forget about it. However, if these scammers hit paydirt and the victim takes the bait, they would be well-compensated for their efforts with the victim’s personal information. Moreover, if this particular mail was sent to an ambitious recipient, he/she might take this bogus opportunity to be exempted from paying tax.

Here are screenshots of the altered FORM W-8BEN and the real deal, side by side:

Although the email is rather convincing, there are several factors that some people might (or may I say SHOULD) use to consider that this mail is a scam:

• IRS would not ask for your bank account number or PIN
• IRS would not ask for this form to be submitted through a private fax number
• IRS would not ask for the form to be sent urgently, with them withholding 30% “of the interest paid to you” as a consequence for your delinquency in only a week-span of time

Spam mails are already detected in our latest AS Full Pattern (AS6596). Trend Micro Smart Protection Network protects its users from these and other similar scams this tax season.