Tuesday, August 16, 2011

Fake AV Propels Visa Card Scams

More old wine in a new bottle: Spammers have used the same payload that we saw in an earlier UPS scam to target more victims. Looks like the spammers ran out of new binaries.

Last weekend McAfee observed scams spread across the world that claimed to have come from Visa Customer Services. The mail had the subject “Your credit card has been blocked – Central European (ISO).”


Scam mail
The mail included the malicious executable “VISA_complete_NR<Randomnumber> .doc________________.exe” zipped into a file with a random name. The malware was packed with another executable that was a fake antivirus program. At McAfee we observed that this same payload has been distributed across the world with different names using different scam campaigns. Some filenames:

  • ups_invoice_id865165475837266465.doc________________.exe (UPS Scam)
  • mastercard_invoce_id65729217565333.doc________________.exe
  • visa_complete_nr62178865627245.doc________________.exe

The dropped malware randomly chooses the rogue AV payload (XP Security 2012 or Personal Shield Pro, to name two) from the remote server. McAfee products detect these payloads as FakeAlert-AB.dldr.



Unlike earlier variants, these binaries did not have the icon of a document file, so they were not covert enough to hide from users. Our cloud-based Artemis technology revealed that this scam was a global target.

The figure below from Artemis shows this malware has spread across the world.



All McAfee customers are protected against this malware. McAfee Labs reminds the public to pursue safe email practices.

By: Arun Pradeep