PC users stung by credit card chargeback Trojan horse

August 23, 2006 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a Trojan horse that has been spammed out claiming that the recipient's credit card has been charged over 125 pounds.

Sophos has received reports of the Troj/Dloadr-AMA Trojan horse, which arrives in a message claiming to come from a company called Cihost, at email gateways across Europe.

The malicious emails have the subject line

[paycheck 322082] Credit Card Chargeback

The message body reads as follows:

Sir,

We have received a notice from your card service stating that there was a chargeback made by the owner of the card that you paid for your account with. This is a very serious matter.

I have deducted the amount of the chargeback, GBP 102.10, from your account and added our standard fee of GBP 23.95 as well. (You can see your payment details in attachment.)

If there was some mistake, please let us know immediately so that we can get this situation resolved. We ask that you have the chargeback removed as soon as possible, as our account has already been debited for the amount in question.

If you would prefer to make your payment using a new payment method that would be fine as well (you can use a different credit card or you may send a money order payable to Cihost).

This is a time sensitive issue and must be resolved promptly at the request of the card service. Please email the billing team using the Web Administration Panel with information about how you are going to deal with this situation.

I thank you for your time and hope to hear from you soon.

See your payment details in attachment.

Sincerely,
Frank J. Cornwell
Cihost Billing Management
http://www.cihost.com

Attached to the emails is a file called PAYCHECK.ZIP, unpacks to paycheck_322082.exe. Executing this file infects the user's computer with a Trojan horse that attempts to download further malicious code from the internet.

"No-one enjoys paying their credit card bill, but in this case hackers are hoping that users will be so outraged that they are being stung for a purchase they never made that they may rush into opening the attached malicious file," said Graham Cluley, senior technology consultant for Sophos. "PC users may be more lax about security when it is the contents of their wallet which they think are at risk."

Sophos's anti-virus products were automatically updated to protect against the Troj/Dloadr-AMA Trojan horse at 08:31 GMT on 23 August 2006.

Sophos recommends that companies protect their email gateways with a consolidated solution to defend against viruses, spyware and spam, as well as apply an email policy that filters unsolicited executable code at the gateway. Businesses should also secure their desktop and servers with automatically updated protection.