Whilst traversing The Tubes yesterday doing some research on credit card processing across a host of different sites, I was hit with an old school malware installer technique with a couple of new twists at one of them. (That's what it looks like above.)
What's old school about it, is it's using an old social engineering ruse to trick people into installing it. Make no mistake: it's fake software. Well, it might play media files, but I guarantee there's some sort of unwanted malware / adware payload along with it.
As you can tell from the Finder icon in the top left, and the "Accept and Install" button in the lower right, it's obviously geared for people on a Mac, and here are some telltale signs it's fake.
- Every media type that matters is playable out of the box on a Mac.
- "Media Player" is Windows-only software, and it's built into Windows, i.e. no need to install it like this.
- The Accept and Install button and the Finder icon are the (now very) old Mac interface style.
- Powered by "MediaDownloader," yet the software is called, "Media Player"?
- What the heck is the Finder icon even doing on a an installer for a third-party product?
Curiously, both Bitdefender and Webroot for Mac missed identifying the serving URL as malicious:
(Whether it has a trojan or some other malicious payload or if it's "just" adware, I don't know, and honestly, does it really matter? Its goal is to trick people into installing it.)
So, if you come across this bugger (or something similar in the wild), get the heck out of Dodge and for cryin' out loud, keep your mouse away from the "Accept and Install" button, will ya?
UPDATE: Looks like I'm not the only one getting these emails!
Dancho Danchev with Webroot also has a great blog post on these email. His is called, Spamvertised 'US Airways' themed emails serving client side exploits and malware
One bit of good news/bad news on them: we can be even more certain that the domain owner shown in my post is an innocent victim, too, as Dancho's blog shows many other URLs being used for serving the malware. In fact, his blog post doesn't even mention the domain name that was in the email I received.
Sometimes, you really just have to laugh.
I got a phishing spam today. Really, you might even call it a spear-phishing spam, given that it had my name and email address correct.
It was an email that looked every bit like a legitimate Check-in Confirmation email from US Airways. The problem: I'm not traveling anytime soon, so I know it's a fake.
Here's what it looked like:
Examining the link shows it was destined to go to an Indian website (.in) that's registered with the following info:
Created On:27-May-2011 21:14:29 UTC
Last Updated On:27-Jul-2011 19:20:22 UTC
Expiration Date:27-May-2012 21:14:29 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R101-AFIN)
Registrant Name:ian jamieson
Registrant Organization:perdita & pongo llc
Registrant Street1:po box 2225
Registrant City:manchester ctr.
Registrant Postal Code:05255
Whether or not the registrant name is legit is anyone's guess, but it's hosted at this IP 184.108.40.206 by GoDaddy.
It's exceedingly rare that anyone uses their real info to host a phishing site--much less one hosted with a legitimate company like GoDaddy, so the domain has probably been compromised. Either that or the registrant name is completely falsified.
The bottom line: don't click on links in emails, even if you think they're legit and from someone you know.
Instead, by doing a "Right Click," you can copy the link out of the email and paste it into Notepad. From there, it doesn't take a rocket scientist to see this link is going to an Indian website (.in) and not to US Airways.
For a quick-and-dirty email, one has to wonder what kind of success rate they're having with this particular email. After all, it is a relatively clever bit of social engineering, some people will, no doubt, fall for.
Even still, if you do get sucked into clicking a link like the one in this phishing email (or click it accidentally), this is where good antivirus software can make all the difference.
Here's what happens when you click this particular link, if you're running the 2012 VIPRE Internet Security Suite:
As you can see, VIPRE 2012 blocked it as a trojan, so there should be little doubt in your mind now that between
- the "US Airways" link mysteriously going to a .in website...
- it being registered to an "ian jamieson..."
- and VIPRE ISS blocking the first thing on the site as a trojan
Now, it's time to contact GoDaddy to get the site yanked before more people get infected.
Oh, and in case you're wondering here are the threat details from VIPRE: