Japanese spam is making the rounds claiming that you can watch all FIFA World Cup matches live or on-demand for free on the site pink-bank[REMOVED]. The email states that the top German video site collaborated with FIFA to be the sole official video distributor of the games. Pink-bank? Doesn't that sound a bit strange?
After visiting the site, I could not find anything related to the World Cup, FIFA, or soccer/football. It was just full of pornography. So is this stereotypical spam that tries to lure folks to sites they typically would not access? Yes and no. There’s bit more to this than the usual spam.
Looking at the site, it seems to be all porn and nothing but porn.
The blurred images are videos and let’s say for arguments sake that I want to watch one of them. Clicking on one of the videos displays the following page, which asks you to confirm that you are over 20 years old and also agree to the EULA.
After agreeing, an identical page appears, but on a different URL. This is to confirm that you are sure that you agree and want to move to the page containing the videos.
Once you agree for the second time, you are fowarded to a page with various channels to view whatever video you please with instructions at the top telling the viewer to click "Run" when a pop-up window appears in order to view the selected video. That's a bit strange. Why would I want to execute a file to view a video? It's not a codec file either; it's an .hta (HTML Application) file.
So I went ahead and ran the file for the purposes of analysis. (No, really!)
Executing the file not only allows you to see the video (although the video kept on hanging due to a poor stream), but it also surreptitiously installs malware on to the computer.
Now, let’s take a look my desktop. I have never seen that lady before!
The message thanks the user for registering and states that payment for registration must be made within 3 days. (If you read the EULA carefully, it says there is a fee for registering.) The message won't go away unless it is manually removed. Clicking on the details button takes you to the following site, which states the user ID, the user's IP address (which may scare a lot of people into paying the registration fee because many may think the site knows where they are located), the user's browser (this may scare some people into paying as well), and how much the user owes.
Thought you could watch all matches of the World Cup for free? No, at least not on this site. The scam just lures people interested in the World Cup to the site and hopes that some will be more interested in the content of the site than the soccer games. Ultimately, it tries to trick you into paying for the service. If you pay within the 3 day limit, you only have to pay 50,000 yen, a 9000 yen discount. I’ll let the authorities decide whether clicking a few buttons can be considered registering.
However, Symantec doesn’t allow the site to install malware on computers though. Symantec detects the .hta file as Trojan Horse. By the way, this is a typical scam in Japan involving spam and usually adult-related sites called “one-click fraud”.
Thanks to the Email Security Group for the information regarding the spam.