14 DAY TRIAL // An email apparently coming from the Recording Industry Association of America (RIAA) informs the recipient that his IP was identified as distributing copyrighted content. In reality, the string of emails is part of a malicious campaign designed to spread an information-stealing Trojan.
MalwareSurvival informs that the message entitled “Notification of copyright violation” urges the user to check the attachment for more details.
“Dear [email address], hereby we notify you that your IP address has been identified as distributing copyrighted content. Please see the attachment to this message for illicit Internet traffic details. Failure to respond to this message within 14 days will result in copyright infringement accusation and standard legal procedures,” reads the email.
Once the attachment file called report.zip is downloaded and run, it unleashes a couple of Trojans identified by Sophos as Agent-UPR and the now famous Bredo-QI.
The pieces of malware create registry entries and files to make sure they’re not easy to get rid of and then they communicate with a Russian server from which they receive their orders.
With the buzz around SOPA, PIPA and ACTA, cybercriminals rely on the fact that many users will rush to open the attachment, fearing the consequences.
However, as many already know, such emails are cleverly set up by crooks to steal information from unsuspecting internauts, but if the sender’s email address is cleverly spoofed to look like it originates from a legitimate RIAA representative, there are other clues that give away its true identity.
First of all, because of the large number of schemes, no organization would send emails that come with zip files attached.
On the other hand, the messages may come with a link. In this scenario, the link should point to the firm’s official site that can be easily identified by the name displayed in the browser’s address bar.
Many of these phony emails also come with contact information, but in most cases the phone numbers are either fake, or even worse, they may be premium-rate numbers which inflate the phone bills of those who make the mistake of calling them.