More attacks using Google brand
Today we have seen another attack exploiting Google brand. An email with this text is sent to a large number of email addresses:
“Gentile cliente,
siamo a comunicarle che da recenti controlli nella nostra contabilità risulta un credito a Suo favore di € 268,50; potrà comodamente ritirare il credito tramite assegno o bonifico bancario senguendo la procedura elettronica sul nostro sito web.
Per controllare lo stato della sua posizione fiscale clicchi il link sottostante, dove troverà pure il cedolino per il rimborso del credito a Lei riconosciuto”
The text translates roughly to:
“Dear customer, following checks done recently we are contacting you to inform you that there is a credit of 268.50 € in your name.You can withdraw the credit via cheque or bank transfer following the procedure described on our website.
To check your financial status follow the link below, where you will also find a form to get your refund.”
The link embedded in the email message points to a URL that prompts the user to download and run a file in order to get their money back. The file is proactively detected by Sophos as Mal/Behav-031. It is a Trojan that adds several domains to the Trusted Security zone of Internet Explorer, which allows those domains to install additional executable onto the computer. Some of the domains point to spoofed Italian Google page (incorrectly spelt Gooogle).
Although the attack targets Italian users the domains are all hosted in China, which makes them quite difficult to take offline.
Posted on May 8th, 2007 by Vanja Svajcer, SophosLabs, UKFiled under: Uncategorized
Windows 7 security - A great leap forward or business as usual?
