We have recently detected a new spam attack that attempts to grab the bank data of Brazilian users.
The mechanics of this attack are simple. Users receive this spam email:
The mail claims that the user has received an e-card, and contains a link to “read” the said card. Click on the related link, a file is downloaded and executed:
Apparently nothing happens, just an Internet Explorer is opened showing a related web card from this initial phishing. In the background, however, the HOSTS file is changed, and set to redirect certain Brazilian baking Web sites to a malicious web site. All information posted in any of the said pages will then be grabbed by the attacker.
This spam email is now blocked by the Smart Protection Network. In addition, the malicious file involved is now detected as TSPY_BANCOS.JCM, and the malicious Web site is also blocked.