Cybercriminals pose as tattletales about to reveal something scandalous in a malicious spam run we’ve encountered recently.

Cybercriminals crafted the spam messages to look similar to an email from YouTube. It arrives with a link which is supposedly a video posted on the said video-sharing website.

The message is written in Portuguese and roughly translates to the following:

A friend sent a video to YouTube, the following message:
Open your eyes!
Much admire the way that treats all situations!
Well, I to the chase.
I said I would find a way to prove what I have been told to you many days.
Look at this video!
The two were thinking they had nothing recording were mistaken there is the video of the two transactions recorded in the cell.
You’ll thank me later because I have done it hugs.

Clicking the link triggers the download of Video.com, which is actually a worm detected by Trend Micro as WORM_RUNOUCE.G. When installed on a system, WORM_RUNOUCE.G uses its own SMTP engine to send out email messages to the affected user’s address book. The said email comes in the following format:

FROM: [email address]
TO: {recipients name}
SUBJECT: {random name} is comming!
Attachment: PP.exe

The attachment PP.exe is a copy of WORM_RUNONCE.G. This places the affected user’s contacts at risk of getting affected by the same malware.

The intriguing nature of the message might just be enough to trigger curiosity in recipients’ minds to get them to open the email, which contains a different kind of malicious material. Both the spam email and malicious file are blocked and detected respectively by the Smart Protection Network.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

The Australian Taxation Office (ATO) is calling on people to start thinking about lodging their 2008 tax returns. With this significant event on the rise, spammers are using this as bait to promote phishing mails.

The email contains a letter stating that it was from ATO. It informs the receiver that he or she is eligible to receive a tax refund. It then asks the recipient to answer the form attached to the mail, click the PRINT button, and then send it to the head office.

Observing the form attached, it uses double extension names: .PDF.HTM which is used to trick the users that they are filling up a PDF file, when it is really an HTML page.

Further studying the content of the form reveals a part where it asks the receiver’s account information, and indicates “Please enter your account information where the 568.24 will be debited.” Take note that according to the mail, the user is eligible for a tax refund. However, the spammers decided rather to fill the field by themselves.

Furthermore, the form asks for the user’s card number and PIN, which should be irrelevant if this is for a tax return.

Once the user completes the form and clicks the PRINT button, a window will appear where the user can specify settings related to the printing process. It may look like a normal process but while the document is being printed, the browser will connect to a site, sending the entered details there.

Users should be assured that not only but in special in these times of crisis, criminals will never get tired in making offers about money or other goods to mask their true intentions.

The Smart Protection Network blocks both the spam email and the phishing website.