We were recently made aware of attacks leveraging the recent data breach that involved Epsilon.
According to reports, the attack involves a Web page that looks very similar to the press release issued by Epsilon concerning the breach. The page also instructs the recipients to click a link at the bottom of the post in order to download and run a tool that will supposedly help them determine if their personal information was among those disclosed during the attack.
We were able to analyze the details of the attack and found that the link downloads an .EXE file now detected as TROJ_MSPOSER.ASM. Running TROJ_MSPOSER.ASM displays the following GUI, which seems to suggest that the system is being checked.
Of course, the graphic is really just there in an attempt to convince the victims that what they downloaded was really a tool that will help them determine if their information is still secure. In the background, however, another malicious file is being installed into the system.