Mac and Windows users targeted with malicious "Failed delivery" emails
Posted on 21.01.2014
A widespread malware delivery campaign in the form of fake "undelivered courier item" emails is targeting both Windows and OS X users, warns Sophos.

The emails in question impersonate a series of existing courier brands such as DHL, FedEx, and the UK Royal Mail, but these malware peddlers have also thought about creating an imaginary service as well, and to create a website for it.

The contents of the emails are nothing new - the potential victim is told that the service is having trouble delivering them a package, and that they should get in touch after checking out the parcel document via a link contained in the email:


Despite the clumsy wording of the email, there are those who will fall for the trick, especially when the cyber crooks use personal information they might have collected or bought from other scammers.

Clicking on the offered link will lead the victims to a website set up by the attackers, which is able to detect whether the visitor uses a mobile browser, Safari, or another desktop browser.

In the first instance, the server delivers an error message, and the user is safe. But if he or she uses a desktop browser, the page serves malware for download.

In the case of desktop browsers which are not Safari, the user is urged to download a ZIP file pretending to be a document with the parcel information, but actually contains an information-stealing Trojan similar to the infamous Zeus malware.

If the user surfs the Internet with Safari, visiting the page will trigger an automatic download of a ZIP file that apparently contains a PDF file. But if the user runs it, OS X detects it for what it really is: a piece of software.


If that is not enough for the user to become suspicious, and he or she ultimately decides to run it, nothing seemingly happens.

But in the background, the malware ("LaoShu") has been installed and begins working.

"LaoShu-A as good as hands control of your Mac over to the attackers, but its primary functions appear to be more closely associated with data stealing than with co-opting you into a traditional money-making botnet," explains Paul Ducklin.

"In other words, the attackers seem more concerned with digging around on your computer for what they can steal than with abusing your computer and your internet connection to aid and abet other cybercriminal activities."

The malware is interested in collecting Word, Excel and Powerpoint files and exfiltrate them to a server run by the attackers, as well as in downloading additional malware that will take screenshots and send them to the server.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //