I wrote a blog entry last week about fraudulent websites that scam users into purchasing tickets to the much-anticipated FIFA World Cup in Brazil. Just recently I found another threat that used the FIFA World Cup as a social engineering hook, this time it involves a banking Trojan.
Banking Trojans are popular in the Latin American region so this threat seems rather timely considering the World Cup fever. Customers of an online ticketing website received an email that supposedly offered an opportunity for participating in a raffle. However, what’s surprising about this email is that it contains the recipient’s personal information—the same data that the recipient entered when they registered. See the email screenshot below:
Figure 1. The email content claims that the recipient is eligible for a raffle entry for World Cup tickets that will be activated by clicking on a link.
The link embedded in the email leads to a file download at a legitimate file-sharing service called Pastelink.me. Cybercriminals took advantage of the site’s database leak to spread banking Trojans. The downloaded file is detected as TROJ_BANLOAD.SM5, a banking Trojan in CPL format.
The ticket site has published a notification on their website about these spammed messages. The message in the screenshot below translates to “Important Announcement. Alert: Fake E-Mail disguised as World Cup. There are fake e-mails circulating that offer World Cup tickets and are disguised as originating from (name of site). This promotion doesn’t exist.”
Figure 2. Site notification
How did spammers get a hold of the registered users’ data?
Notice that the spammed message contained accurate user data, which included their full names, addresses, birth dates, gender and email address. How was this possible?
In response to a customer complaint, the ticketing site said the user data used in the spammed message did NOT come from their systems. The screenshot below is from a user complaints website, which clarifies this to their registered users. The screenshot below translates to: “Dear customers, the promotion offering World Cup tickets are fake and the data used in the spam did not come from our systems. The case is already handled by the authorities.”
Figure 3. Customer notification
Who’s to blame?
If the leaked data did not come from the site, then who’s to blame? The answer to this remains unknown as there is no legal obligation in Brazil that mandates companies to notify the public about possible or confirmed data breaches. In the event of a possible data breach, it is only recommended for companies to notify individuals when it comes to consumer data (in which the website’s registered users are considered consumers). Additionally, there no existing laws in Brazil that deal specifically with data transfer.
While much of the developed countries (such as in the case of the European Union) seem to be acting quickly to protect users’ personal data, incidents such as these highlight the importance for privacy laws in countries like Brazil. Just last April, the government in Brazil passed a law that can protect user privacy. With less than 2 weeks away, the upcoming 2014 FIFA World Cup is constantly generating a lot of buzz from both avid sports fans and cybercriminals looking to make a quick buck so we can expect more attacks in the coming weeks.
Trend Micro protects costumers by blocking the download URL of associated files, command-and-control (C&C) servers, file hashes and e-mail origin IPs.
The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events. We’ll soon be featuring the 2014 FIFA World Cup.
Update as of 6:20 AM, June 4, 2014
The hashes involved in this attack are: