Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

E-Gold Scams

Published: 2006-07-23
Last Updated: 2006-07-24 00:00:45 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Reader Ivan alerted us earlier today about an email scam that has surfaced in the past few days.  Here's the text of the message he saw:

Subject: egold transaction
Message:

Good day,
Yesterday I was checking my egold account and was surprised at what I saw: I had almost 200 ounces of gold (USD 100,177.90). I never had so much money, (I only had USD177.90 in my account at he time of this transaction) I don't know how did they get there. I clicked on history and saw that money were transferred 2 hours ago, in the memo field I saw your email address:[email] When I was trying to sort this out - money disappeared from my egold account. I lost my money and money that came from nowhere. I changed my password immediately and now I am trying to find out what has happened. Luckily I made a screenshot with the transaction history for you to see and tell me what is going on. I hope that you will let me know what has happened. I did not contact egold support yet. I hope that we will be able to sort this matter ASAP. Before I will contact them.
Regards,
Jannet Johnston


Not a bad job of building a scam.  As you might expect, there was a file attachment that looks fairly innocent, "screen.zip" and likely would fool many unsuspecting victims.  Opening the file we find an executable file inside the archive that is named "screen.jpeg (many spaces) .exe" that in turn has a filesize of 8,485 bytes.  Most of you know what happens next...

Ivan did a bit more analysis and found that the .exe file drops a .dll component that is installed as a Browser Helper Object (BHO).  The dropped component also downloads mailordermarijuana.ca/images/mod.gif (careful!!)  The mod.gif file (11,570 bytes) is also a .exe dropper which in turn also installs another .dll in the infected system.  The second .dll looks like a Trojan-Spyware stealing e-gold account information from the users of the infected system.

Handler Lenny found a blog that seems to indicate this scam started a few days ago.

Thanks, Ivan.  Readers like you are the backbone of the SANS Internet Storm Center and we really appreciate those who send in their own analysis for us to turn around in alerts to others.

Marcus Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives