Western Union spam downloads keylogger

Share this article:
Spam emails, purporting to deliver a money-transfer notification from Western Union, but containing an attachment with an executable trojan, have been spotted in the wild by researchers at Sunbelt Software.

The emails tell the recipient that $3,750 has been transferred to them by Western Union and includes a tracking number and transfer sheet, Alex Eckelberry, Sunbelt president and chief executive officer, said on a company blog.

The attachment, which poses as the transfer sheet, downloads a keylogger onto the recipient's PC that collects personal information, including user names and passwords, Adam Thomas, Sunbelt malware researcher, told SCMagazineUS.com today. The malware then sends the data to an email address at a third-party hosting site, he said.

Thomas added that the attack method is not very sophisticated, pointing out that the name of the recipient is not accurate and the message contains an executable attachment, which most email clients don't allow users to open by default.

“[The downloaded trojan] goes through a charade and pops up a message with a test question," he said. "It's doing its best to make you think it's a real form of payment sent to you, hoping you'll open it just out of curiosity."

The keylogger sends the stolen information to a hotpop.com email address, Thomas said. Sunbelt has notified the abuse department of the Newton, Mass.-based company, which offers a range of hosting services, about the attack.

The attack's creator likely used Western Union as a lure because “it's the method the bad guys use to transfer money,” Thomas said.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.