New(?) scam: Door to door malware in Christchurch
Hi list, Just had a visit to our Christchurch offices from a shady guy claiming "ISPs snoop on all your traffic, you should download this free, secure browser" who then proceeded to hand our tech who answered the door several URLs on a piece of paper. I can't imagine a world in which the "linked" executable is anything aside from a malware payload, though VirusTotal returns nothing for the file, so it may be new or just creatively packed. Here's a picture of the piece of paper given to our tech: http://finch.am/projects/nznog/IMG_20110802_124202.jpg The URLs on the paper are: http://www.autoprofits.smartmediaTechnologies .com http://www.autoprofits.smartmediaDesktop .com http://www.autoprofits.smartmediaPays .com I'm happy to provide a copy of the payload for analysis and I'm sure our tech could give a more thorough description of the chap if anyone wants to take this further. -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz Phone: 0800 750 250 DDI: 03 978 1223 Mobile: 027 666 4482
Anyone else seen anything similar? I'm at a loss to understand if this is: a) a really lame targetted attack b) a wide scale attack that we have only heard one example of. Dean On 2/08/11 12:55 PM, Michael Fincham wrote:
Hi list,
Just had a visit to our Christchurch offices from a shady guy claiming "ISPs snoop on all your traffic, you should download this free, secure browser" who then proceeded to hand our tech who answered the door several URLs on a piece of paper.
I can't imagine a world in which the "linked" executable is anything aside from a malware payload, though VirusTotal returns nothing for the file, so it may be new or just creatively packed.
Here's a picture of the piece of paper given to our tech:
http://finch.am/projects/nznog/IMG_20110802_124202.jpg
The URLs on the paper are:
http://www.autoprofits.smartmediaTechnologies .com http://www.autoprofits.smartmediaDesktop .com http://www.autoprofits.smartmediaPays .com
I'm happy to provide a copy of the payload for analysis and I'm sure our tech could give a more thorough description of the chap if anyone wants to take this further.
I've downloaded the software and provided Michael with screenshots. In summary it's a Get Rich Quick scam. The software download page has one of those lengthy videos so I just skipped to 2/3 and caught the guy saying "the software is free but you too can get rich by buying the rights to giveaway a branded version, for only US$400..." So the guy paid for it and decided door-to-door was the best thing. Once the software is installed it downloads the Mozilla engine and uses it as a browser to have access to a directory of (crap) sites. Also to an "academy" teaching you how to "connect to the Internet", things like sending emails, registering on Facebook. Also offers 1-on-1 help desk - but when you click that button it says you have to pay to have access to it. And all while showing some very ugly banner on the bottom of the screen. While the AV on my VM didn't scream murder, I'm pretty sure you'd find out it full of adware, spyware, crapware too... Cheers Mauricio Freitas www.geekzone.co.nz www.geekzone.co.nz/freitasm www.twitter.com/freitasm -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Dean Pemberton Sent: Friday, 5 August 2011 13:25 To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] New(?) scam: Door to door malware in Christchurch Anyone else seen anything similar? I'm at a loss to understand if this is: a) a really lame targetted attack b) a wide scale attack that we have only heard one example of. Dean On 2/08/11 12:55 PM, Michael Fincham wrote:
Hi list,
Just had a visit to our Christchurch offices from a shady guy claiming "ISPs snoop on all your traffic, you should download this free, secure browser" who then proceeded to hand our tech who answered the door several URLs on a piece of paper.
I can't imagine a world in which the "linked" executable is anything aside from a malware payload, though VirusTotal returns nothing for the file, so it may be new or just creatively packed.
Here's a picture of the piece of paper given to our tech:
http://finch.am/projects/nznog/IMG_20110802_124202.jpg
The URLs on the paper are:
http://www.autoprofits.smartmediaTechnologies .com http://www.autoprofits.smartmediaDesktop .com http://www.autoprofits.smartmediaPays .com
I'm happy to provide a copy of the payload for analysis and I'm sure our tech could give a more thorough description of the chap if anyone wants to take this further.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
participants (3)
-
Dean Pemberton -
Mauricio Freitas -
Michael Fincham