14 DAY TRIAL // Security researchers warn that a wave of fake emails posing as bogus hotel credit card charge notifications are distributing scareware applications.
The fake emails started appearing last week and bear subjects like "Hotel Sutton Place made wrong transaction" or "Wrong transaction from your credit card in Four Seasons Resort Scottsdale."
The enclosed message can also vary, but usually it is about a bogus charge allegedly operated by a hotel on the recipient's credit card. One example reads:
"Dear Client! Transaction: Visa 4098_6e. On July 26th, 2011 Hotel made wrong transaction decommissioning from your credit card totaling $1037.
"This partner hotel was divested accreditation in Moverick Company with reference of noncompliance of the service contract. Please see the attached form. You need to fill it in and contact your bank for the return of funds.
"In the attachment you will find expense sheet with the sum of wrong transaction writing-down. Company just mediates and bears no responsibility for any money transactions made by Hotel. Thank you for understanding. We trust you can solve this unpleasant problem."
The attached file is called RefundForm###.zip, where # is a random digit. The archive contains an executable file called Refund-Form.exe whose icon resembles that of an Excel document.
"Once executed this malware downloads the file soft.exe from yomwarayom2001[dot]ru (84.247.61.25). This did not run straight away so we ran it on a separate test machine and verified that this is a fake AV product named ‘Security Protection’," security researchers from M86 Security warn.
According to Gary Warner, director of research in Computer Forensics at the University of Alabama at Birmingham (UAB), despite this campaign being several days old, as of Sunday, the AV detection rate for the distributed malware remains low.
This is because the gang behind the attack is quickly altering its downloader to avoid detection. "We're still seeing more than 1,000 copies per day of this malware," Warner says.