Another set of password stealing malwares using the mobile phone companies MMS message/voice message subjects. These vary by the day and some days we get Upatre zbot downloaders. Other days a full blown pony or game over Zeus version. Some days we are getting an Androm version, so that tells us that different bot nets are re-using and copying the same emails to spread the malware
27 and 28 February 2014: today is a fake PDF inside the zip and subject suggests an image to look at. Lots of these today are slipping past spam filters. This is because the headers say that they come from a Yahoo email address. Yahoo is one of the few free webmail services that also allow POP sending and receiving. Many ISPs allow yahoo addresses to send from their servers. These latest versions are the Gameover Zeus
24 February 2014: today the attachments contain a fake jpg ( image) file
30 Jan 2014: today the attachments contain a fake PDF file rather than a fake wav ( sound ) file
18 March 2014: They have stepped up the game with this one today and have made the email much more enticing to click on. They have added a genuine jpg image of a sexy girl and a zip that suggests that it contains a lot more sexy pictures. However of course the zip if opened contains a very nasty zbot malware which is the same malware as this mornings fake Government Business Departament A lot of men will try to open the zip just out of curiosity in case the zip does contain more revealing images. Many women will want to see what they are missing as well.
How is it going? I am Josephine! i look for a second half.
I enjoy travelling and drawing! Look at my photos in attached file.
Answer me! Bye!
So far we are seeing subjects:
- Vodafone MMS Service
- T-Mobile MMS Service
- Orange MMS Service
- IMAGE Id 031042841-PicFGZ6W TYPE=MMS
- pic Id 056811595-Pic900E2 TYPE=MMS
- Picture Id 801894397-Pic6DP0Z TYPE=MMS
- text notification message
No doubt we will see the other phone companies also used as a message subject as the day progresses. Needless to say they don’t come from the mobile phone company and are yet another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer.
Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
Attachment zip name: T-Mobile_voice_835FABB73A60667C78FA.zip (68kb)
Extracted file name: MMS_System_Voice_WAV_857458934750982364592863495623495897385738457893275890704098573248957829347589.wav.exe
Current Virus total detections: 4/49 https://www.virustotal.com/en/file/17cc77df1334f8f0df21f79c7aa35bec1e5aaaa7ffa1d5ce84710ec46246c64d/analysis/
MALWR Auto Analysis: https://malwr.com/analysis/YTdjNzdiMzRkZjg5NDA4Mzg2NzQyN2E4YmVhODgzZDE/
30 January 2014: IMG0000008849902.zip (55kb) extracts to IMG0000008849902.exe Current Virus total detections:4/50
23 April 2014: IMG_23_04_2014_5737206532.zip (443kb) extracts to IMG_23_04_2014_0094855483.jpeg.exe Current Virus total detections: 4/51
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (music or voice) file or a PDF instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.