Symantec has blogged previously about spammers exploiting the recent catastrophic situation in Japan. Since then, Symantec has observed additional variations in spam attacks in which the spammers are continuing to exploit the tragedy, even as the earthquake and tsunami relief efforts are in progress. Similar to what we have seen in the past, virus attacks in the form of messages containing links to images in the message body were observed in the third week of March. Such attacks, along with scam emails, are usually prevalent after such disasters have occurred. The subject line and screenshot of a sample message body of the virus attack can be seen below.
Subject: Novo tsunami atinge Sendai e Japao declara estado de emergencia em usina nuclear
[Subject: New tsunami hits Japan Sendai and declares state of emergency in nuclear plant]
As seen in the screenshot above, what appears to be a video is in fact just a link to an image. Once the link is clicked, the user is asked to download and install an executable file (“XAR485849834.exe” – screenshot below) that is malware related to a Brazilian banking Trojan. The link to the image hxxp://xxx.<removed>trade.com/globo.com.html leads the user to download the malware payload from the attacking machine. After it has been successfully installed, the malware gathers the user’s Internet banking details and other sensitive information.
Similar to the sample above, another variation of the spam attack has a message that lures the user into watching a video of the devastating tsunami in Japan. The From and Subject lines of the spam message are below.
From: "Veja o video gravado no momento do tsunami no japao." <firstname.lastname@example.org>
Subject: Veja o video gravado no momento do tsunami no japao.
The English translation of the subject line and body of the spam message (in Portuguese) is below.
Subject: Watch the video recorded at the time of the tsunami in Japan.
Camera man was able to shoot everything
What appears to be a video is again just an image that is composed of a link to the attacking machine that downloads the malware. The IP addresses involved in the above spam attacks are traced back to Brazil.
The scammers have also been exploiting the relief efforts by sending 419 scam emails that have been prevalent ever since the natural disaster took place. In another variation of the Nigerian scam that has been observed recently, the fake message urges people to help the survivors of the earthquake and tsunami while the country is battling a nuclear crisis.
The message lists the various organizations working on relief and recovery in the region. However, towards the end the message, the scammer requests a donation in the form of a wire transfer payment through a popular service. The scammer also asks that the sender emails the complete details of the transaction (as mentioned on the receipt) to an email address that quite obviously belongs to the scammers. Scammers favor wire transfer services because payments are irreversible, untraceable, and require minimal identity checks. The IP address 126.96.36.199—which is involved in the scam email—was traced back to Lagos, Nigeria. This IP has been blacklisted because of its past involvement in such scams.
Symantec recommends that our readers reach out to the earthquake and tsunami victims through legitimate and secure channels so that the help that you send reaches the intended recipients. Moreover, be cautious of downloading certain file types, particularly executables (.exe). Any emails containing or leading to this type of application extension should be considered suspicious, particularly if it's coming from an unknown sender.
Note: My thanks to Carlos Mejia, Mayur Deshpande, and Paresh Joshi for the spam samples contributed to this blog.