Go Back   SZONE.US Forums > Computer & Web Realm > Web Tips > Web Findings

Web Findings Here you will find information about the internet.

Has my credit card really been blocked?

Views:272
Reply
 
LinkBack Thread Tools Search this Thread Rate Thread
  #1  
Old 07.28.11, 08:10 AM
Zachariah Boren's Avatar
Administrator
 
Join Date: 02.07
Location: Canoga Park, CA
Posts: 2,589
Blog Entries: 6
Images: 10075
Send a message via ICQ to Zachariah Boren Send a message via AIM to Zachariah Boren Send a message via MSN to Zachariah Boren Send a message via Yahoo to Zachariah Boren Send a message via twitter to Zachariah Boren
Has my credit card really been blocked?

07.28.11 05:18 AM

Websense ThreatSeeker® Network has been monitoring and tracking a recent wave of email attacks being spread and aimed at credit card users and holders.



The attack comes in the form of a short email with fairly detailed text alerting the recipient that their credit card has been blocked, and that they should open the attached file to find out more. The format seems old, with the content and attached file properties being the distinctive factor. With the recent attacks and data breaches of organizations in the press, this seems to be worth the buzz as personal details and credit card details were part of the information leaked.



Sample of email message.





A similar message opened with a text editor below shows the content has not changed much during the campaign. There is less the wording within the message body and the header information with regards to sender address or connecting IP's which are listed in this blog post.

A similar message opened with a text editor below shows the content has not changed that much during the campaign less the wording within the message body and header information with regards to sender address or connecting IP's which are listed in this blog post..







A noticeable repeating pattern, besides the salutation and some generic content such as ” Dear User|Client|Sir|Madam”, “WARNING|ATTENTION|URGENT”, is the attached file name. This example file format is a .bat file, which indicates it is a DOS executable batch file. Additionally, the file name format we have seen has always used the following format:



"id", "[5-7 digits]" and the file extention.



Further analysis into the file reveals this is also a Windows executable that contains a PE tag within the header information, as highlighted in the picture below.







Interestingly, the file properties also suggest to the untrained eye that this appears to have been originated from VMware. This ties in to the entire trickery of the author and also the re-use of the tactic and resources.







Although this appears to have originated from VMware, the attached file is actually not signed, as shown in the screen shot below (courtesy of VirusTotal).







The file is also VM-Aware, as the resulting execution of a download for fake AV only works if host based analysis is used (as opposed to a guest virtual machine).

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.






http://community.websense.com/blogs/...mpromised.aspx
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Rate This Thread
Rate This Thread:


SZONE.US
» Stats
Members: 8,952
Threads: 94,470
Posts: 97,511
Top Poster: WhiteHouseNews, (17,819)

Images: 30,880
Comment: 102
Categories: 363
Total Views: 4,551,330
Disk Space: 11.85 GB
Top Uploader: Steve Boren (19,893)
Welcome to our newest member, aaqgd999kx
Powered by vBadvanced CMPS v3.1.0

All times are GMT -8. The time now is 10:11 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0
Copyright 2007 - 20011 SZONE.US All rights reserved