Oi Fotos, a photo storage Web site in Brazil, has been victimized recently by a phishing-spyware combo.
Figure 1: Screenshot of the legitimate Oi Fotos Web site
The bad guys have taken advantage of the mobile service of Oi Fotos. The phishing email contains a notification that the recipient has received photos from a cellular account and offers them an opportunity to view them — and of course, they need to click on the image.
A rough translation of the displayed text is as follows:
"You received a Oi Photos from cellular (0xx) **** - 2981. To see the photos, just click on the image below."
Figure 2: Sample screenshot of the phishing email
Upon clicking as directed, the recipient is directed to a malicious phishing site, which eventually attempts to install a piece of spyware, a program that monitors and gathers user information (e.g. online banking login credentials) from the victim’s machine.
Figure 3: Sample screenshot of the pop-up window that prompts users to download a spyware file on their systems
Trend Micro already detects the file as MAL_BANKER, a heuristics detection name for files that manifest characteristics similar to those of the TSPY_BANCOS and TSPY_BANKER spyware families. These families can steal online banking information.
The URLS are now blocked by the Trend Micro Smart Protection Network.