A particularly malicious spam run consisting of emails ostensibly sent by reception desk managers of various hotels has been targeting Visa users.
The emails exhibit subject lines such as “Hotel Sutton Place made wrong transaction” and “Wrong transaction from your credit card in Four Seasons Resort Scottsdale” and contain a longish explanation (in very bad English) saying that the hotel has charged the recipient’s credit card for over $1,000 by mistake.
“Please see the attached form. You need to fill it in and contact your bank for the return of funds,” say the emails and offer an attachment named RefundFormXXX.zip (where XXX consists of a random three digit number).
The unzipped file is Refund-Form.exe and is outfitted with the icon for an Excel file in order to trick the recipient into opening/executing it.
Once the victim has done that, the malware downloads another executable from a Russian domain. This executable is a fake AV by the name of “Security Protection”.
“A further HTTP request is sent to 126.96.36.199, which requests a module called ‘grabbers’ from load.php,” explain the researchers. “The file that is retrieved, called update.dat is in fact an encrypted Windows .dll file. Once decrypted we discovered that it was a password stealer which targets a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers looking for stored passwords.”
But, this is not the end – another HTTP request is sent nearly a day after the initial infection, and it retrieves another fake AV called “Personal Shield Pro”.