Trend people recently captured a spam email that appeared to be from Orkut. It is written in Portuguese, and translates to the following (via GoogleTranslate):
Problems with your account.
Dear User,
We received some complaints against your profile saying you are "using copyrighted material," and before Orkut disables your account unfairly, asks for you to contact us stating the problem.
Some information from the complaint:
Your Profile: {malicious link to phishing page}
Report: {directly download malware}* Please do not reply to this email, follow the instructions in the report of the complaint.
Warning: Your period for justification is 48h.
Regards,
{name}
Administration Orkut.comNote: *We are taking measures in accordance with the laws in your country. (Brazil)
* Please meet the requirements of the report within the stipulated period.
Figure 1 shows the Portuguese Orkut spam (click to view larger version). Users who click on the first link on the email are led to a phishing page (see Figure 2). At this point users may be led to key in their credentials at this fake site, compromising access to their Orkut accounts. When the browser opens to the phishing page, the browser also automatically downloads a certain file which, should the user accept the download, when saved and run, introduces a BANKER variant (TROJ_BANKER.GAT) to the system.
 |
BANKER variants and their components are notorious malware that together sit silently in victims’ PCs waiting until users browse online banking sites. These then either change the online banking site from the real site to a fake one or directly steal keyed in information such as user names and passwords.
Online banking is a commonly accepted method of transaction and managing funds in Latin America because of the sites’ ease of use and offer of convenience. This compounds the risk of this targeted attack netting in more users than usual. Furthermore, the Orkut spam is written in Portuguese, which unknowing users may take to mean that the mail is valid.
Users are always advised to enter sites requiring logins using their clean bookmarks or by typing in the correct URL at the browser address bar. Also, ignore email (and the links therein) that come from doubtful or unknown sources. Smart Protection Network protects Trend Micro users from this attack by identifying the phishing mail as malicious, by blocking access to the phishing page, by preventing the download of the malicious file, and by detecting the downloaded file (and related malware) as malicious.
