08 December 2006

investigador.exe phish

we received another exquisite phishing email tonight, yet another one that managed to get around gmail's junk email filter. we're not sure but we have a strong suspicion that this is the work of the same crime gang that started out with the cartao.exe ecard email that we blogged about here. this is obviously a professional hi-tech crime gang and they have been doing this for awhile now. we wonder why interpol hasnt come knocking at their door yet. these particular phishing emails arrive presenting themselves to be a regular ecard....

click picture to enlarge
however, when we mouse over the red box where it says "Ver meu Cartao" (which we have no clue what this means btw) the first thing we notice down in the status bar -- bottom left in our picture -- we see the true url: mimundo.americaonline.com.ar/atualizaorkut10/investigador.exe and notice that it ends in .exe -- a .exe file extension is an executable file "whose contents are meant to be interpreted as a program by a computer." hackers can use .exe files to install and launch viruses, trojans, worms and what not to take over your computer. we think that the particular crime gang thats behind this is building a botnet.

this particular email does not contain any attachments. its cleverly designed to trick you into thinking that its an ecard. so you click the link in that box thinking you are going to fetch your ecard but instead you are taken to a website and thats where the .exe file is installed on your computer.
Reply-To: wesawthat@gmail.com
From: wesawthat@gmail.com>
To: TosWeb@aol.com,reportphishing@antiphishing.org
Cc: spam@uce.gov
Subject:Você Recebeu um Cartão OCarteiro.com.br
Date: Fri, 8 Dec 2006 00:07:26 -0600

AOL.COM: this spam was sent to advertise a phishing website that you host that is tricking computer users into installing a .exe file please would you terminate
service to:

related posts
  • search this blog * phish