Dissecting April’s malicious spam

Malicious attachments in April came disguised as e-greetings and notifications about faxes. In the case of the former, alleged Easter greetings turned out to be the Fareit.aonw Trojan with fairly limited functionality: it didn’t try to steal any passwords, but did download and launch a far more dangerous Zbot Trojan-Spy designed to attack servers and steal personal data.

The second case involved fake messages from a popular online fax service. The messages contained a small Trojan downloader that installed the same spy program from the notorious Zeus/Zbot family.

Kaspersky Lab detected several large malicious attacks in April disguised as faxes sent by the popular online fax service eFax, which allows users to send and receive faxes as email attachments.

The fake messages usually included a notification about an incoming fax, and to be more persuasive, it would indicate the number of pages in the fax. However, the zip file actually contained malware, specifically Trojan-Downloader.Win32.Cabby.a – a rather small Trojan downloader that carries a CAB file in its body with the document or graphic that is displayed to the recipient after launching.

While the victim is busy viewing the attachment, Cabby stealthily downloads another threat. In the cases we observed, the secondary malicious program was from the same widespread ZeuS/Zbot family (Trojan-Spy.Win32.Zbot.shqe).

The category of organisations most frequently targeted by phishers in April was ‘Email and search engine sites’, accounting for 31.9 per cent of attacks. ‘Social networks’ were in second place with 23.8 per cent (a drop of 0.2 percentage points). ‘Financial and payment organisations’ came third with 13 per cent (0.2 percentage points less than March).

The target of the month was a large Chinese telecommunications company called Tencent that, among other things, offers tech support for the QQ instant messaging client. Scammers tried to get client logins and passwords using some familiar tricks such as telling users to follow a link to restore access to their account. The link actually led to a phishing site. The notification was sent as an image, which helped it bypass spam filters and made the email look more legitimate.

“Last month, we saw a new wave of so-called pump and dump spam. The scammers behind these mailings advertised offers to buy stock in a certain company at super low prices, which were allegedly meant to increase considerably in the near future. As a result, the demand for the stock in the company rose, the prices became artificially inflated – and the scammers would then sell off their stock in said company. The stock prices would then begin to fall, and the bamboozled investors were left with depreciated shares and lost their investments. As a rule, scammers tend to choose little known companies for these schemes, where the stock is traded on a secondary market. In April, they used Rich Pharmaceuticals, a US company,” commented Tatyana Shcherbakova, Senior Spam Analyst at Kaspersky Lab.

Don't miss