I just got another phishing attack. The interesting thing about this attack is instead trying to trick me to open an URL, the 'phisher' tried to trick me into clicking a zipped file. The extracted file itself is clean of virusses as McAfee says: ms# uvscan --version Virus Scan for BSD v4.24.0 Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Jan 27 2003 Scan engine v4.2.40 for BSD. Virus data file v4348 created Apr 06 2004 Scanning for 88550 viruses, trojans and variants. ms# ms# uvscan --summary www.fdic.com.fraud.security.pif.pif Summary report on /tmp/www.fdic.com.fraud.security.pif.pif File(s) Total files: ........... 1 Clean: ................. 1 Not scanned: ........... 0 Possibly Infected: ..... 0 ms# Moreover, based on strings result I can guess that once someone opens this file, the file will "call home", though I can't find the IP address of where this program is calling. WSAStartup connect gethostbyname htons recv send socket GetCommandLineA GetModuleFileNameA GetModuleHandleA CloseHandle GetVersion GetWindowsDirectoryA MoveFileExA CreateFileA RtlUnwind SetFilePointer WinExec WriteFile CreateThread DeleteFileA __GetMainArgs _sleep atoi exit raise rand signal sprintf strchr wsock32.dll KERNEL32.DLL CRTDLL.DLL -------------- X-Hydra-AttHeader: www.fdic.com.fraud.security.pif.zip Return-path: <security@xxxxxxxx> Received: from barracuda.usu.edu ("port 51995"@barra.ss.usu.edu [129.123.104.27]) by cc.usu.edu (PMDF V6.1 #39089) with ESMTP id <01L8M9XDSOZ4AFUJLZ@xxxxxxxxxx> for @cc.usu.edu (ORCPT @cc.usu.edu); Tue, 06 Apr 2004 17:48:21 -0600 (MDT) Received: from pcp03457982pcs.csouth01.va.comcast.net (pcp03457982pcs.csouth01.va.comcast.net [68.57.182.239]) by barracuda.usu.edu (Barracuda Spam Firewall) with SMTP id 6C8A8D03C458 for <@cc.usu.edu>; Tue, 06 Apr 2004 16:48:16 -0700 (PDT) Date: Mon, 05 Apr 2004 19:40:08 -0700 From: Brian Spencer <security@xxxxxxxx> Subject: fraud report To: @cc.usu.edu Message-id: <20040422683.22863.qmail@xxxxxxxx> MIME-version: 1.0 Content-type: multipart/mixed; boundary=----------2171105EE3ED50 X-ASG-Debug-ID: 1081286665-27043-183-0 X-Barracuda-URL: http://129.123.104.27:8000/cgi-bin/mark.cgi X-ASG-Orig-Subj: fraud report X-Virus-Scanned: by Barracuda Spam Firewall at usu.edu X-Barracuda-Spam-Status: No, SCORE=1.5 using global scores of TAG_LEVEL=5.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 tests=DATE_IN_PAST_12_24, DEAR_SOMETHING X-Barracuda-Spam-Report: Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 1.2 DEAR_SOMETHING BODY: Contains 'Dear (something)' 0.4 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date Original-recipient: rfc822;@cc.usu.edu Dear Sir! We are sorry to report that your bank account has been temporarily closed cause of explicit fraud activity. We are about to report to the police about this incident and they.ll carefully investigate this matter. If you.ll be found guilty, your can be charged up to $57,183. You can find all the details about this incident in the attached file and if you still have any questions until the police start investigation, please contact us as soon as possible. Sir, fraud activity is prohibited by the US legislation and you must note down that from now on your every step is being carefully traced down. So if you don.t want any other incidents to take place, wait for the end of this investigation or contact us. You can find our email and phone number in the attached file(password - MarH3Jl4). Faithfully yours, Brian Spencer (Chief Manager) www.fdic.com.fraud.security.pif.zip
Attachment:
fdic.pif.zip
Description: Zip compressed data