Experts at SophosLabsâ„¢, Sophos's global
network of virus, spyware and spam analysis centers, have warned of
a Trojan horse that has been spammed out claiming that the
recipient's credit card has been charged over 125 pounds.
Sophos has received reports of the Troj/Dloadr-AMA Trojan
horse, which arrives in a message claiming to come from a company
called Cihost, at email gateways across Europe.
The malicious emails have the subject line
[paycheck 322082] Credit Card Chargeback
The message body reads as follows:
Sir,
We have received a notice from your card service stating
that there was a chargeback made by the owner of the card that you
paid for your account with. This is a very serious matter.
I have deducted the amount of the chargeback, GBP 102.10,
from your account and added our standard fee of GBP 23.95 as well.
(You can see your payment details in attachment.)
If there was some mistake, please let us know immediately so
that we can get this situation resolved. We ask that you have the
chargeback removed as soon as possible, as our account has already
been debited for the amount in question.
If you would prefer to make your payment using a new payment
method that would be fine as well (you can use a different credit
card or you may send a money order payable to Cihost).
This is a time sensitive issue and must be resolved promptly
at the request of the card service. Please email the billing team
using the Web Administration Panel with information about how you
are going to deal with this situation.
I thank you for your time and hope to hear from you
soon.
See your payment details in attachment.
Sincerely,
Frank J. Cornwell
Cihost Billing Management
http://www.cihost.com
Attached to the emails is a file called PAYCHECK.ZIP, unpacks to
paycheck_322082.exe. Executing this file infects the user's
computer with a Trojan horse that attempts to download further
malicious code from the internet.
"No-one enjoys paying their credit card bill, but in this case
hackers are hoping that users will be so outraged that they are
being stung for a purchase they never made that they may rush into
opening the attached malicious file," said Graham Cluley, senior
technology consultant for Sophos. "PC users may be more lax about
security when it is the contents of their wallet which they think
are at risk."
Sophos's anti-virus products were automatically updated to
protect against the Troj/Dloadr-AMA Trojan horse at 08:31 GMT on 23
August 2006.
Sophos recommends that companies protect their email gateways
with a consolidated solution to defend
against viruses, spyware and spam, as well as apply an email policy
that filters unsolicited executable code at the gateway. Businesses
should also secure their desktop and servers with automatically
updated protection.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.