View my documents ()
 Home > Insights > Blogs 

CA Community

This Blog

Syndication

Zbot Reports a "Possible Fraudulent VISA Card Transaction"

Published: December 10 2009, 08:19 PM
by Mary Grace Gabriel

After a few weeks of silence, we have seen Zbot malware revisit its "Facebook Update Tool" and "IRS Tax Refund Request Form" campaigns.

CA ISBU recently received new spammed emails, disguised as legitimate email from VISA (a credit card company), and requesting the recipient to review their "VISA Electronic Report" by clicking on the link provided [Figure 1].

               

                                                       [Figure 1 – Spam Sample Email]

The email contains the Subject: possible fraudulent transaction occurred with your VISA card

The email contains the Body:
            --------------------------------------------------------------------------------------------------------

            Dear VISA card holder,

            A recent review of your transaction history determined that your card was used at an ATM
            located in {Random Name of a Country}, but for security reasons the requested transaction
            was refused.Please carefully review electronic report for your VISA card at:

           http://transactions.visa.com/cards/alerts/transactions.php?
           ref=77539726816694715907580668966567461158138910157354456&email=xxx@xxxxx.com

           VISA Cards Support

           Id: U7SVR0HMRGVFFOW86ZPGA8B2CIYRIM5XISI49JSXBGFQ01BYMK4IMEF4IF6H3OUWUI5QS
                        
           --------------------------------------------------------------------------------------------------------

Other emails may contain the following Subjects:

  • possible fraudulent transaction
  • possible fraudulent transaction and/or collusion with your VISA card
  • possible fraudulent transaction has been executed
  • possible fraudulent transaction has been executed with your VISA card
  • possible fraudulent transaction is identified
  • possible fraudulent transaction is identified with your VISA card
  • possible fraudulent transaction occurred
  • possible fraudulent transaction occurred with your VISA card
  • possible fraudulent transaction with your VISA card

If you click on the link provided in the email, you will be directed to the site shown below [Figure 2], where you are prompted to download and review your "VISA Electronic Report"; in reality, this so-called "Statement" is actually a malware installer.

                   

                                                        [Figure 2 – Zbot Download Page]

The file "cardstatement.exe" is a password-stealing Trojan that, when executed, usually drops a copy of itself as sdra64.exe to the Windows System folder and then executes it. This Trojan is detected by CA as a Win32/Zbot variant.

Again, we advise users to beware of these kinds of emails and ensure that your CA Security Products are updated with the latest signatures.

Share this post:  EmailEmail
ShareShare

Tags: , , , , , , , , , , , ,

Leave a comment

By: Mary Grace Gabriel
Mary Grace Gabriel is a Research Engineer with CA's Internet Security Business Unit (CA ISBU) based in Melbourne, Australia. Previous to CA, Mary's career in computer security started at Trend Micro as an Anti-virus Engineer, and she also worked as Senior Malware Analyst at Anchiva Systems. She...
Read More..

4 people have left comments:

This exploit, as well as the facebook and IRS exploits, have been using domain names registered with ccTLDs (.co.uk, me.uk, org.uk).

A few .eu domain names were used.

The facebook exploit was still going strong on the 9th until about 12:30 UCT yesterday.

It appears that everyone in the world, including my browser, knows these domain names are being used to install malware/trojans.

Everyone that is except the registrar. If registering a domain had the same requirements needed for a drivers license we probably wouldn't be seeing zeus criminal roaming freely throughout the net.

Aminof

Posted by: Aminof Spamski | December 11, 2009 3:27 AM

thanks.

Posted by: lkj | December 11, 2009 11:57 AM

I just got one of these emails. But was not going to give up my data to anyone. These scum will prey on the unwary every way they can. Thanks for helping to keep me safe.

Posted by: Tom | December 11, 2009 3:40 PM

I noticed that the ccTLD .be started being used as the .co.uk, me.uk, org.uk started going down.

Among the favorite TLDs used by the zeus botnet, www.dns.be seems to be the slowest registrar to remove fraudulent domains, with

Nominet running a close second.

I have been tracking these domains (and reported them to the registrar) for 24 hours now. Many just started going down but not all.

The registrar for ccTLD .im (Isle of Man - Domicillium) is the one with the quickest response to fraudulent domains in my experience.

Frequently the domain is down before the email is even received. If only all registrars had their proactive response!

Posted by: Aminof | December 13, 2009 8:22 AM

Leave a Comment

* An asterisk indicates a required field

* :  

:

* :  
 
 
Page Tools
ShareShare