We caught a new invoice spam that is purportedly from WorldPay, a division of the Royal Bank of Scotland that specializes in handling secure online payments from all over the world.
The spammed email message informs users that their transaction with Amazon Inc. has been successfully processed by WorldPay.
The said email contains a .ZIP file, which holds a malicious file named WorldPay_NR9712.exe. This file is detected by Trend Micro as TSPY_ZBOT.BEO through the Smart Protection Network.
TSPY_ZBOT.BEO downloads a configuration file from a remote site. This file contains a list of bank-related Web sites, which the spyware monitors in the Internet browser address bars.
The URLs listed in the downloaded configuration file may change at any time. As of this writing, the file contains links to the legitimate sites of Bank of America.
When a user accesses any of the listed URLs, the spyware logs keystrokes to capture data entered in login boxes, including sensitive banking information such as user names and passwords. The gathered information is saved in a file, which is then sent to a remote site through HTTP post.
Here are previous reports of invoice spam: