Western Union spam downloads keylogger

Share this article:
Spam emails, purporting to deliver a money-transfer notification from Western Union, but containing an attachment with an executable trojan, have been spotted in the wild by researchers at Sunbelt Software.

The emails tell the recipient that $3,750 has been transferred to them by Western Union and includes a tracking number and transfer sheet, Alex Eckelberry, Sunbelt president and chief executive officer, said on a company blog.

The attachment, which poses as the transfer sheet, downloads a keylogger onto the recipient's PC that collects personal information, including user names and passwords, Adam Thomas, Sunbelt malware researcher, told SCMagazineUS.com today. The malware then sends the data to an email address at a third-party hosting site, he said.

Thomas added that the attack method is not very sophisticated, pointing out that the name of the recipient is not accurate and the message contains an executable attachment, which most email clients don't allow users to open by default.

“[The downloaded trojan] goes through a charade and pops up a message with a test question," he said. "It's doing its best to make you think it's a real form of payment sent to you, hoping you'll open it just out of curiosity."

The keylogger sends the stolen information to a hotpop.com email address, Thomas said. Sunbelt has notified the abuse department of the Newton, Mass.-based company, which offers a range of hosting services, about the attack.

The attack's creator likely used Western Union as a lure because “it's the method the bad guys use to transfer money,” Thomas said.
Share this article:

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.