Lloyds TSB Scam: Updated Terms and Conditions

Recently we have noticed several email messages claiming to come from Lloyds TSB a London, UK based financial entity informing customers that they are required to login and accept an updated terms and conditions, otherwise their account will be suspended. The messages appear to be coming from noreply@illoydstsb.com; however, when further analysis is done on the message header it is actually coming from several domains ending with .es.

When the user clicks the link below thinking they will be going to the terms and conditions, they are actually sent to a fake Lloyds banking site that guides the user through the login process (in an effort to steal credentials).

Fake Antimalware Applications

As we have been monitoring the threat landscape during the last couple of weeks we have noticed an increase in fake anti-malware applications being used to defraud users. While these applications themselves do not provide any level of security for the user in terms of detecting and removing malware; the application itself is designed to trick the user into thinking that they are infected via the use of pop-ups and enticing them to purchase a full version as a means of cleaning the system.

The objective is always financial motivation and this is one way they are making money by sending out Spam with Trojan downloaders hidden behind the links designed to install fake security software, in a majority of the cases Anti-virus XP 2008.

New Celebrity Spam – Fake Security Product Installed (AV XP 2008)

This morning the Celebrity spam campaign continued with a few new fake video codec sites delivering a downloader Trojan designed to install a fake security product known as AntiVirus XP 2008. It’s apparent now that a number of these spam campaigns are only interested solely in distributing this one particular fake security product. The file downloaded is called video99.exe or video66.exe and varies depending on the email message and the site used (HTML page names often correspond to the binary used index99.html, index66.html, etc).

Some of the subject lines of this particular spam campaign is:

“John McCain to Paris Hilton: Cosmo, baywatch!”

“Britney Spears Shaves Head at Request of Zombie Overlord”

Fake Windows XP Vista Update – Installs AV XP 2008

This morning the AV XP 2008 spammers were at it again with another round of spam messages claiming to offer an update to Microsoft Windows Vista (we have seen similar attacks before offering false updates). However, when the user clicks the link he/she is directed to a malicious .swf that will download the file install.exe which essentially is a downloader Trojan designed to install AV XP 2008.

File size: 203776 bytes

MD5…: 0f44ed00c0b67d9e5062b8e2c3574345

SHA1..: 4d9b42bbd950ea0c253a483ea2db3f888055c1c6

SHA256: e5885411c5ab7dbf2846b3b0606f6b294bbc9203ec8065d13560470ceab07c07

SHA512: b1b437a2df0023e1af019e6a06c31d298063f156819ea5b1de4047ad5766c6f8 00db13161056c7db223737cfc8fe00ce58d7756ebe33e4042627d6c9fbee8a6f

PEiD..: -

TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)

Statement of Fees Malspam Campaign (AV XP 2008)

A couple of minutes ago another round of spam messages appeared claiming to provide information concerning a statement of fees recently posted (inferring to banking account fees). The message contained an attachment with a fake Microsoft Word Document which actually is an executable (Fees-2008_2009.doc.exe) that installs a Trojan Downloader.

Further analysis indicates that the Trojan when installed connects to a php page hosted on a Russian domain to obtain several possible sites as a means of downloading the installer for AntiVirus XP 2008. The actual URLs are contained within this script and the file which is downloaded is lspr.exe (MD5 ffccd0518b04354532c733674c0faa00) and is identified as Adware/AVXP2008.