Masquerading as shipping or order confirmation notifications

Aug 28, 2009 13:26 GMT  ·  By

The creators of the Bredolab computer trojan have launched a new distribution campaign, which delivers the malware via bogus order confirmation emails allegedly sent from online shops. Security researchers advise potentially curious users not to open the attachments.

Email security company MX Lab warns that emails with titles such as "Thank you for settling the order No.90322972" or "Shipping confirmation for order _24204," come with a malware attached. The fake messages use social engineering in order to trick users into believing that an unauthorized order has been made in their name.

The "From" field of the emails is spoofed and one of them reads "Thank you for shopping at our internet store! We have successfully received your payment. Your order has been shipped to your billing address. You have ordered Toshiba Satellite U400D. You can find your tracking number in attached to the e-mail document. Please print the label to get your package."

The electronic equipment allegedly ordered online and the text can differ for each offending message. This technique has probably been chosen in order to avoid detection from basic spam filters. A randomly named .zip archive file is attached to every email.

"The extracted ZIP archive contains an D*****.exe, of approx 36 kB, where * stands for random numbers and letters," the company explains. The executable file is actually the Bredolab installer, which, according to a VirusTotal scan, has an under average detection rate (16/49).

Bredolab is a new computer trojan discovered by security researchers back in May. Once installed on the system, its purpose is to infect it with additional malware. So far, the trojan has been observed to download malicious applications from the FakeAV family.

Using bogus order or shipment confirmation emails to propagate malware is not a new technique and has been intensively used as lure during the past several years. The fact that some cybercrooks prefer it suggests that it still has a fair amount of success. Users are strongly advised to keep their antivirus solutions updated with the latest definitions.