McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Weird.e2010-02-02
Win32.Tolone2010-02-02
Worm.IrcBot.14786562009-12-10
Trojan.Drop.Agent.poa.22009-12-10
Trojan.Magania.1059882009-12-08
Trojan.PSW.Frethog.AJ.22009-12-08
View Malware Library
 


McAfee Research Blog

Wrap-Up on July’s Fake Invoices

July 25th, 2008

Since the beginning of July there are steady waves of mass-mailings hitting the users’ inboxes with fake invoices. Fake UPS messages claim that a package couldn’t be delivered and was returned, the user should print out the attached invoice - which in fact is the malware of course.

Yesterday two different spoofs were on the loose, containing both the very same malware. One in german language claiming to be an invoice from PayPal Europe and the other pretending to be from the US Custom Services. And just today the next spam run brings in an invoice for a flight ticket. Victims are told they’ve bought an airplaine ticket and your credit card was charged. The details and the flight ticket are attached - again this is malware.

Users who fall prey to these common social-engineering tricks and install one of these nasties on his computer, actually install a ZBot spyware (aka ‘Wsnpoem’, aka ‘ntos.exe’ - a description is available in our Malware Library). ZBot, depending on the actual variant, downloads an encrypted configuration file with further instructions from a russian location and POSTs collected data back.

The Secure Anti-Malware Engine protects in two ways: the malware itself is blocked as Trojan.Spy.ZBot right away. Mobile computers that may have been infected while on the road, outside of the corporate protection and now joining back into the network, can be identified as infected with the “Potentially Unwanted Program” (PUP) heuristics. These heuristics can distinguish normal user browsing behavior from infected machines phoning home, and can block such compromised computers from all internet access until they’re cleaned again.

Gallery of Latest Fake Invoices


Author: Anti-Malware Team

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.