Analysing the cyber scam that tried to fool an infosec professional's wife

Mrs Corrons received an email giving details of her online purchase of a ‘Superdry vintage distressed leather Brad jacket made from super-soft full grain leather...’ Mrs Corrons told Mr Corrons, ‘I didn’t buy that...’

Mr Corrons happens to be the technical director of anti-virus company PandaLabs. In an amusing blog he explains that after “she looked at me in a way that only your better half can” he took a closer look at the email. It is particularly dangerous because it is more professional and elaborate than most social engineering emails. It is well designed and contains no obvious spelling or grammatical errors. There is nothing that might immediately raise suspicions.

The scam itself relies on victims being unable to remember exactly whether they did, or possibly might have, made the purchase. Or it could simply be a mistake. There is no request for money, nor any personal details. Instead there is just a link to the supposed supplier where “the order can be viewed.”

This is the danger. The scam email is HTML rather than text, and the link is disguised. It goes not to the online shop but to a separate site that asks the user to download a file named CULT78318.exe. Note that the filename reuses the name of the online store and the quoted order number in the email. It also includes an Adobe icon to make the target think it is a PDF file rather than an executable.

In reality, says Luis Corrons, “bad news, this is a nasty Trojan with bot capabilities.” It includes a keylogger to steal information, including passwords and banking information. It also, he says, looks for “other Trojans, mainly bot competitors, to remove them in case they are in the system, such as Zeus, DarkComet, etc.”

The supplier concerned, is a genuine UK online store owned by SuperGroup.plc – and is not involved in this scam. It is aware of the scam, but when asked had no-one available to comment.

What’s Hot on Infosecurity Magazine?