Apparently, social engineering techniques may always come in handy when staging what has become more popular these days: profit-driven focused attacks.
Being today’s largest Web hosting company, the German provider 1&1 easily became an eye candy to malicious authors; hence the release of TROJ_YABE.AS. This Trojan arrives via spammed email. It uses the following details to lure users into thinking that the attachment is legitimate:
Subject: Internet AG – Your calculation 4930290
Email body:
Very more honored 1&1 customers,
enclosed you receive your invoice from the 31.12.2006. The total sum for your bill in the December amounts: 89.99 euros.
According to the given direct-debit authorization we will draw the amount during the next days of your account.
You will find attached the calculation in the PDF-EXE format. For reading and printing you need no additional program!
Our 1&1 team answers your questions to your invoice under 0180 5 201 026 (12 ct/Min.)
By the way: We have extended our service times for you and now are available from Monday – Saturday 08:00 – 20:00 o’clock.
Yours sincerely,
1&1 WebHosting team
[This is automatically generated news, please you do not answer to this sender. If you have questions to 1&1 Support, use please the contact form under www.{BLOCKED}nd1.de/cc]
Yes, sending spam with a touch of treachery may be old news but according to Alice Decker, Senior Researcher of Trend Micro EMEA, the words used in the spammed email message are persuasive. In addition, Decker points out that “The smart part of the social engineering in the email body is the reference to the attached file type (EXE-PDF)”.
On its first day of release (January 9, 2007), there are already several cases related to TROJ_YABE.AS originating from Europe as well as one from Asia. Trend Micro already detects the said malware in OPR version 4.171.00.