According to Gavin Neale, a threat analyst with M86 Security's New Zealand operation, he and his research colleagues have seen a large number of spam emails that claim that an incorrect transaction "was made on your credit card from a hotel."
The subject lines, he says, look similar to the following two subjects, with varying hotels:
- Hotel Sutton Place made wrong transaction
- Wrong transaction from your credit card in Four Seasons Resort Scottsdale
"We have also seen several different message bodies that try to explain, in fairly bad English, that your credit card has been charged by a hotel and that in order to get your money back you will need to fill in an attached form and send it to your bank", he says in his latest security blog.
Along with a rambling text from the spammers, Neale says that a zip file - named RefundFormXXX.zip, where XXX is a random three digit number - is also attached to the spam message.
"Inside this zip file is an executable file - Refund-Form.exe - which has an icon likely intended to deceive unsuspecting victims into thinking that it is in fact some type of form which they can view", he explained.
Once executed, the malware downloads the file soft.exe from yomwarayom2001[dot]ru (84.247.61.25).
"This did not run straight away, so we ran it on a separate test machine and verified that this is a fake AV product named Security Protection", he says.
A further HTTP request is then sent to 188.72.202.121, which requests a module called `grabbers' from load.php.
Interestingly, Infosecurity notes, it took the remote system almost 24 hours to infect the host computer, but an HTTP request was then triggered and a fake AV application called Personal Shield Pro was then launched.
"Both the attached executable files and those that were downloaded after the initial infection had very low detection rates among anti-virus engines, which highlights the need to be very cautious when opening email attachments and to keep anti-virus software up to date", warns Neale.