Charged For Software You Didn’t Buy?
I always look forward to ploughing through all my e-mail, both personal, to my own domains, and work ones to my work e-mail address, especially as I receive around 300-400 a day (on average). Of these around 85-90 percent are Spam, Malware or Scams of one sort or another.
One of the e-mails I received to my work e-mail address this morning caught my eye with the subject of ‘Order Approval Notification‘ and the following in the body of the e-mail:
Dear Madame/Sir,
Thank you for your order. Spysoftcentral processes orders and collects payments
on behalf of PC Tools.Your credit card (VISA) has been debited with GBP 79.39 and the level of credit
card authorization has been changed.
Please note that “WWW.SPYSOFTCENTRAL.COM” will appear on your credit card
statement, and not the name of the publisher (PC Tools).
Here is a screenshot of the full e-mail:
A larger version of the screenshot can be found here.
Did you notice the attached ZIP file which the e-mail body text states contains ‘...an invoice for your order‘, how many of you would have opened this to check the invoice? Go on, own up!
Here’s the details on the ZIP file and it’s contents:
Details:
FileName: DD269901.zip
FileDateTime: 20/07/2006 10:49:40
Filesize: 4308
MD5: c1aa725f9b6eedd79b99491e014e258c
CRC32: 90F66E21
File Type: ZIP Archive FileContains:-
FileName: DD269901.exe
FileDateTime: 19/07/2006 17:09:00
Filesize: 5244
MD5: eb6aa621d168bf53a204141d0ace119e
CRC32: 1CDC43AE
File Type: PE Executable
Packer: FSG
Aha! The ZIP file contains not a text file but a binary [EXE] file, that’s suspicious in itself. Furthermore, the file is packed using one of the packers/compressors favoured by malware authors; FSG.
So, this e-mail is an attempt by the sender to get the recipient to open the ZIP and run the file inside, helped along by some fairly straightforward but effective social engineering; the thought that you have been charged for something you didn’t buy.
I have submitted this to the anti-virus vendors [about 30 of them] as the attachment (and the file inside it) is not detected by most anti-virus products at the time I received it[1]. The responses I have had back so far support my analysis that this is malicious and probably a downloader; used to breach defences and then download other malware components from one or more web sites.
This is a method that is increasingly being used as it is easier to code a small file that is reasonably innocuous [non-viral], to bypass anti-virus and other security tools. This, when run will often try and disable security tools, such as a personal firewall and anti-malware tools, and next it will download other malware or malware components. By this time you no longer own your PC; it is probably part of a botnet and it [or other dowloaded malware components] may have found all your personal details and sent them off to the malware author to misuse.
What does this example tell you?
- Never take action while in a panic, yes DON’T PANIC!
- Take a deep breath, and think things through logically, plan your course of action.
- If there is a link or an attachment, treat it with suspicion. If in doubt seek assistance from the person/company that allegedly sent it, or find an anti-malware expert and get them to examine it for you [in a controlled and secure environment].
- Just because your virus scanner doesn’t recognise it doesn’t mean it is OK to run it; anti-virus software should not be seen as an authorisation or access control solution.
- If in doubt about the advice you have been given, seek a second opinion.
- If it is an alleged credit/debit card charge then contact them [your bank or credit card company directly] to see if the alleged sale/purchase has really been made, you can always get a charge-back if it is a fraudulent sale which you did not authorise.
So, to sum up:
Currently this malware is not detected by most anti-virus [at the time of posting], but will be within the next 24-48 hours.
This sort of credit/debit card charge [or charge-back] social-engineering is becoming more commonly used by malware authors.
Be careful out there. Do you believe everything you see on the TV or read in the news? I hope not! As a rule of thumb: don’t believe everything you see or read, not everything is what it may seem, or even be real. It is OK to be a skeptic.
Now, where’s that news article that claims they have proof that ‘Alien Spacecraft Lands on Whitehouse Lawn‘ and goes on to state that a ‘reliable‘ member of the public says they “…saw an alien get out and change in to President Bush“[2]?
[1] Full scan details can be found here.
[2] Yes, I’m making it up, no way could he be an alien, they are supposed to be more advanced than us ‘puny‘ humans 
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/momusings/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
Thanks for that. I received the same email but with a text file AVG (my anti-virus) so maybe it dealt with it, but I’m of course not opening the text file.
Can we assume that no charge has been made to our VISA cards!!
Comment by Tony Goodson — Friday 21st July, 2006 @ 9:37
Tony,
It is possible as I sent a sample off to the AV companies [including AVG] early yesterday. If you want, you are welcome to send me the file and I will analyse it for you.
As to whether your card has been charged; I doubt it but as I state in the article, “If it is an alleged credit/debit card charge then contact them [your bank or credit card company directly] to see if the alleged sale/purchase has really been made, you can always get a charge-back if it is a fraudulent sale which you did not authorise.”
Comment by Martin — Friday 21st July, 2006 @ 10:24
I too received this email and contacted pctools whose program spyware doctor is. They confirmed my suspicions about the attachment and assured me that their malware team would be issuing a definition file for spyware doctor and today my AVG found the zip file and identified the contents as a “trojan horse downloader Generic2.GFX”. It never fails to horrify me the number of people I speak to who have barely got antivirus software let alone firewall software on their computers and then wonder why their machines act up.
Comment by Liz — Saturday 22nd July, 2006 @ 20:37