Western Union spam downloads keylogger

Share this article:
Spam emails, purporting to deliver a money-transfer notification from Western Union, but containing an attachment with an executable trojan, have been spotted in the wild by researchers at Sunbelt Software.

The emails tell the recipient that $3,750 has been transferred to them by Western Union and includes a tracking number and transfer sheet, Alex Eckelberry, Sunbelt president and chief executive officer, said on a company blog.

The attachment, which poses as the transfer sheet, downloads a keylogger onto the recipient's PC that collects personal information, including user names and passwords, Adam Thomas, Sunbelt malware researcher, told SCMagazineUS.com today. The malware then sends the data to an email address at a third-party hosting site, he said.

Thomas added that the attack method is not very sophisticated, pointing out that the name of the recipient is not accurate and the message contains an executable attachment, which most email clients don't allow users to open by default.

“[The downloaded trojan] goes through a charade and pops up a message with a test question," he said. "It's doing its best to make you think it's a real form of payment sent to you, hoping you'll open it just out of curiosity."

The keylogger sends the stolen information to a hotpop.com email address, Thomas said. Sunbelt has notified the abuse department of the Newton, Mass.-based company, which offers a range of hosting services, about the attack.

The attack's creator likely used Western Union as a lure because “it's the method the bad guys use to transfer money,” Thomas said.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS