Cybercriminals seem to be targeting tourists and vacationers as the recent attack TrendLabs engineers managed to catch in progress and analyze shows.
In a timely slew of spam attacks, cybercriminals used demographic-specific spam in order to lure unsuspecting users into allowing malware to take root in their systems. Each spam sported the same malicious attachment and exhibited the same malicious routines, only renamed to match the content of the message it came with.
The first sample bears content made to read like a hotel manager's message urgently notifying users of an erroneous credit card transaction. The message's body informs users that in order to obtain the funds debited from their accounts, they need to open the attached file, fill in the blanks, and contact their banks. This is, however, not be the case when users oblige, as doing so instead executes a malware.
The second sample tries to deliver its payload using a similar tack, passing itself off as a MasterCard notification warning users that their credit cards have been blocked due to "illegal" operations.
The third sample poses as a message from an adult dating site that promises users a "map of love" that will lead them to locations and hot spots where they can find potential sexual partners upon opening the attachment.
Looking at all three attacks, it is not hard to see that the cybercriminals behind them are targeting tourists and vacationers, as evidenced by the use of common tourist activities as social engineering lure. The fact that it is summer in some parts of the world makes this slew of attacks all the more dangerous, as users looking to spend some time off abroad may be caught off guard.
This spam run is yet another example of how any subject can be used for unscrupulous activities as social engineering lures and proof that users need to be ever vigilant against potential attacks regardless of interest.
How do these threats arrive on users' systems?
These threats arrive on users’ systems via spam bearing malicious attachments. The email body attempts to lure users into downloading and opening the malicious attachment with promises of various benefits.
What happens once the threats get into systems?
Opening the attached file, which can be any of the following malware, can lead to the exhibition of various malicious routines on users' systems:
malicious routines of some of the aforementioned malware:
TROJ_BREDO.NEW downloads TROJ_FAKEAV.SMHB, a rogue antivirus software, that attempts to steal affected users’ financial information by displaying fake system infection notifications. This FAKEAV variant also prevents the execution of certain executable files.
TROJ_YAKES.AO accesses certain sites to send and receive information as well as to download other malicious files onto already-infected systems. It terminates its malicious routines, however, if it finds certain security-related processes running on systems.
How do these malware affect users?
The related malware compromise infected systems’ security and can lead to the theft of sensitive information. This can have detrimental effects on users’ privacy as well as put their financial assets at risk.
How can affected users remove related malware from their systems?
Non-Trend Micro customers can use HouseCall to scan their systems and to remove detected threats.
Trend Micro customers, on the other hand, are automatically protected by our products, which are backed by the Trend Micro™ Smart Protection Network™, from these malware. This is due to the Email Reputation Services and File Reputation Services that form part of the Trend Micro Smart Protection Network, specializing against the two ways in which this attack can try to infiltrate users’ systems.
What can users do to prevent these malware from infecting their systems?
Users can evade the effects of similar attacks by installing a reliable security software that blocks spam before these can even reach their inboxes. Immediately deleting spam and avoiding opening attachments are also encouraged.
"Email is still essential in communicating, and spam messages will continue to spread as long as email is still viewed as a viable infection vector. As always, I highly recommend avoiding opening email attachments and clicking links in email messages, especially if these messages are from unknown sources." --- Kathleen Notario, Threat Response engineer