Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 25 February 2009

Money Tight? Watch out for Coupon Offers from CyberCriminals

Posted on 14:23 by Unknown
While investigating the Waledac malware, UAB malware analysts Brian Tanner and Thom Savage discovered a new scam targeting those who may be feeling the economic pinch.

Over Valentine's Day weekend, the UAB Spam Data Mine had revealed dozens of websites spreading a fake Valentine's Day ecard as a way of tricking users to visit websites which would infect their computer with the Waledac virus.

When revisiting the same domains, Tanner and Savage, who study in the UAB Computer Forensics program, found that they now contained a Coupon website instead of a Valentine's Day e-Card.

Based on the new evidence, the students logged in to the UAB Spam Data Mine looking for new coupon scams, and quickly identified emails, with URLs such as:

http://fsubu.codecouponsite.com/coupon.php

The website includes a geo-location code, so that the page seems to offer coupons localized for where your computer is located. In our case, the pages offered coupons for "Birmingham, United States" on a page that looked like this:



A quick Google search found that "Couponizer.com" is a real company, based in Cummings, Georgia, run by Amy Bergin. (We've left her a voicemail to offer our assistance). Her website looks like this:



Some of the many domain names used in the current coupon scam malware are:

greatsalestax.com
thecoupondiscount.com
workcaredirect.com
smartsalesgroup.com
yourcountycoupon.com
codecouponsite.com
supersalesonline.com
bestcouponfree.com
greatcouponclub.com

The malware name changes with nearly every visit, however we have seen it named:

stopcrisis.exe
couponslist.exe
sale.exe
saleslist.exe

Some of the other email subjects we received were:

All sales on one site
Useful information, Look at it!
You'll thank me
You can find such coupons and sales only here! Up to 90% off!
You will be appreciated
A good way to save money is to use these coupons

Like the Valentine's Day e-card malware last week, this malware is HUGE. More than 438 KB - or more than 10 times larger than much of the malware we see.

The current version gives this report from VirusTotal:

9 of 39 anti-virus products detecting. Notably neither AVG, McAfee, Symantec, or TrendMicro know that this is a virus at this time.
Email ThisBlogThis!Share to XShare to Facebook
Posted in waledac | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • Amero to Replace Dollar? Could Storm Worm Be Right?
    According to the newest version of the Storm Worm, the Amero is about to replace the dollar: The U.S. Government began to realize the plan t...
  • FAL$E HOPE$ @ CHRI$TMA$
    FAL$E HOPE$ was a Federal Trade Commission operation announced on December 12, 2006, which cracked down on Bogus Business Opportunities. C...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Minipost: NY Zeus "At Large" Codreanu and Adam captured
    We've previously posted about the FBI's Operation ACHing Mule (that's A-C-H as in Automated-Clearing-House, the way American ba...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ▼  February (6)
      • Another Password Stealer hides as Bank of America ...
      • Money Tight? Watch out for Coupon Offers from Cyb...
      • Javeline Spins an Identity Theft Survey
      • New Trend: Stimulus Scammers
      • February 2009 Black Tuesday Report - Critical Exch...
      • Traveler Scams: Email Phishers Newest Scam
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile