Incident Response, Malware, TDR

Sneaky phishing scam in Brazil may hit U.S. shores

A clever phishing email is circulating Brazil, but one researcher suggests this crafty scam will more than likely cross shores to the United States before long.

The Portuguese-language email contains an attachment named, ‘Comprovante_Internet_Banking.rtf,' which translates to, ‘Receipt from Internet Banking,' according to a post by Fabio Assolini, a senior security researcher with Kaspersky Lab.

Those who open the file are presented with a document that is able to be opened in Microsoft Word and contains a tiny image of a receipt along with a message instructing recipients to click the image twice to see it in a larger size.

Double-clicking the image will bring up a message asking users if they want to open a .CPL file – and accepting it will execute malware that seeks out credentials for banking and payments.

“The .CPL file embedded into the .RTF file is a well-known Brazilian Trojan banker, written in Delphi, belonging to the family Trojan.Win32.ChePro,” according to Assolini. “After executed, it drops several files through the system to keep the infection running.”

Assolini adds, “Embedding malicious files into .RTF or .DOC files allows cyber criminals to bypass email filtering by extensions or type; also, it allows them to break the AV detection by signatures.”

Dmitry Bestuzhev, head of the Global Research and Analysis Team with Kaspersky Lab, Latin America, told on Wednesday that he is positive the phishing scam will make its way over to the United States.

“We are absolutely sure it will, however, the scope of the attack at the moment will be limited to the Portuguese-speaking residents only,” Bestuzhev said. “Maybe in the future, if Brazilian cyber criminals decide to go behind American banks, they may localize these attacks for the English-speaking people too.”

The .RTF file does not have any exploits with which to be concerned, Bestuzhev said, but he suggested users be careful by not executing anything extra – particularly if it is a .CPL or .EXE file.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.