Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - Malware emails with fake cellphone invoice InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware emails with fake cellphone invoice

Published: 2011-03-29
Last Updated: 2011-03-29 23:39:11 UTC
by Daniel Wesemann (Version: 1)
5 comment(s)

"Thank you for ordering from Cellphone Inc" is what the email says ... what it doesn't say is "have a nice day cleaning your infected PC". Reader Scott had just taken his mobile phone to a store for repair, but being the savvy security specialist, he was still suspicious when he got the following email shortly thereafter

Thank you for ordering from Cell Phone Inc.

This message is to inform you that your order has been received
and is currently being processed.

Your order reference is Cell Phone Inc. You will need this in all correspondence.
This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount
of 629.99 USD and "Cell Phone Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.

Cell Phone Inc.


Turns out of course that this email had nothing to do with Scott's phone, it is just the latest malware scam. The email comes with a PDF attachment that - at current count - tries to exploit collab.getIcon, media.newPlayer, collab.collectEmailInfo and util.printf -- all rather "old" Adobe Acrobat vulnerabilities, but apparently still "good enough" for the bad guys to warrant a new spam run.

The PDF's guts are obfuscated JavaScript, as usual, and currently showing up with a lousy 2/43 on the Virustotal radar

Keep your users from clicking ... and keep up with those pesky almost-feels-like-weekly Adobe updates!

 

Keywords: acrobat PDF exploit
5 comment(s)
Diary Archives