Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-07-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

E-Gold Scams

Published: 2006-07-23
Last Updated: 2006-07-24 00:00:45 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Reader Ivan alerted us earlier today about an email scam that has surfaced in the past few days.  Here's the text of the message he saw:

Subject: egold transaction
Message:

Good day,
Yesterday I was checking my egold account and was surprised at what I saw: I had almost 200 ounces of gold (USD 100,177.90). I never had so much money, (I only had USD177.90 in my account at he time of this transaction) I don't know how did they get there. I clicked on history and saw that money were transferred 2 hours ago, in the memo field I saw your email address:[email] When I was trying to sort this out - money disappeared from my egold account. I lost my money and money that came from nowhere. I changed my password immediately and now I am trying to find out what has happened. Luckily I made a screenshot with the transaction history for you to see and tell me what is going on. I hope that you will let me know what has happened. I did not contact egold support yet. I hope that we will be able to sort this matter ASAP. Before I will contact them.
Regards,
Jannet Johnston


Not a bad job of building a scam.  As you might expect, there was a file attachment that looks fairly innocent, "screen.zip" and likely would fool many unsuspecting victims.  Opening the file we find an executable file inside the archive that is named "screen.jpeg (many spaces) .exe" that in turn has a filesize of 8,485 bytes.  Most of you know what happens next...

Ivan did a bit more analysis and found that the .exe file drops a .dll component that is installed as a Browser Helper Object (BHO).  The dropped component also downloads mailordermarijuana.ca/images/mod.gif (careful!!)  The mod.gif file (11,570 bytes) is also a .exe dropper which in turn also installs another .dll in the infected system.  The second .dll looks like a Trojan-Spyware stealing e-gold account information from the users of the infected system.

Handler Lenny found a blog that seems to indicate this scam started a few days ago.

Thanks, Ivan.  Readers like you are the backbone of the SANS Internet Storm Center and we really appreciate those who send in their own analysis for us to turn around in alerts to others.

Marcus Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)

Yahoo! et al Status

Published: 2006-07-23
Last Updated: 2006-07-23 23:19:37 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
There was a lengthy outage of the Yahoo Messenger and email services late Saturday into Sunday morning.  We tried to contact Yahoo to find out what was going on but did not get a response.  Looking around the 'net I found some discussions, a few sites said it was a DNS issue, others said that Yahoo was having hardware problems. Another guessed that it was due to power outages in California. Either way, it got me thinking how important it is for Network Operations Centers (NOCs) to keep their customers informed about the status of the service they are providing.  There are places on the 'net that list NOC phone numbers and points of contact (Jared Mauch's site is my favorite) but most do not have URLs for status sites which would be more convenient than calling an 800 number and leaving a message.  Do you run a NOC or SOC?  Do you have a web page where customers can see in near real time the status of your services?  If so, let us know via our contact page and we'll build a page off our our links page that lists the popular NOC status sites so that readers have a way to know immediately what is going on. 

Marcus Sachs
Director, SANS Internet Storm Center
Keywords:
0 comment(s)
Diary Archives