Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Downloader.Ponik Seeks Long Term Relationship

Created: 09 Jan 2013 18:52:48 GMT • Updated: 23 Jan 2014 18:10:28 GMT • Translations available: 日本語
Satnam Narang's picture
+3 3 Votes
Login to vote

Contributor: Jeet Morparia

Online dating is big business. In 2012, 40 million people visited or used an online dating site in the United States. According to some statistics, the online dating industry is worth over $1 billion dollars. Others say it is worth over $3 billion globally. The fact is that online dating is a lucrative industry, so it should come as no surprise that it is also on the radar for cybercriminals.
 

Figure 1. Downloader.Ponik spam campaign world map
 

One of the most recent malicious spam campaigns we encountered used online dating as its lure. While broad in scope, targeting users around the world, this campaign was largely focused on users in the United States, the United Kingdom, and Australia.
 

Figure 2. Sample Downloader.Ponik dating spam email
 

The email messages used in the campaign claims to be from someone named “Kat” with varying subject lines:

  • It’s a pleasure to meet you here
  • Write me again, ok? I really need your advice
  • How are you today? What are you doing now?
  • You dont know me, so Im here to fix it!
  • Hey how are you?
  • Hello there!
  • Im glad to see you!
  • Hola!
  • How do you do?

The body of the message is identical in each email:

Hello from Kat. I got some information about you from a=dating site. I found out that you are looking for a woman for LTR. I’m expec= to find a perfect match. Also I wish to exchange photos with you and may=e try to know you better. I will be waiting for your reply with impatience.

It is interesting to note that the emails claim that they obtained information on the target through an online dating site.

Attached to each message is a file named photo.zip, which contains a threat that we detect as Downloader.Ponik. Downloader.Ponik is known for bringing some baggage with it. This particular version of Downloader.Ponik downloads the following malware:

As always, be careful when opening attachments in emails from unknown sources. I think it is safe to say that this is one long-term relationship you don’t want to get involved in.