Threat Outbreak Alert: Fake Gift Voucher Redemption Email Messages on July 3, 2013

2013-06-06T14:49:58
ID CISCO-THREAT-29597
Type ciscothreats
Reporter Cisco
Modified 2013-07-03T17:57:04

Description

Medium

Alert ID:

29597

First Published:

2013 June 6 14:49 GMT

Last Updated:

2013 July 3 17:55 GMT

Version:

3

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to contain a gift voucher for the recipient. The text in the email message instructs the recipient to open the attachment to receive the voucher code. However, the .zip attachment contains a malicious .scr file that, when executed, attempts to infect the system with malicious code.

E-mail messages that are related to this threat (RuleID6228 and RuleID6228KVR) may contain the following files:

> Pixmania Gift Voucher.zip
Pixmania Gift Voucher.scr
Invoice.zip
PaySlip.scr

The Pixmania Gift Voucher.scr file in the Pixmania Gift Voucher.zip attachment has a file size of 68,995 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x1D7D1173FA769CD378D5D70442E14AAA

A variant of the Pixmania Gift Voucher.scr file in the Pixmania Gift Voucher.zip attachment has a file size of 89,619 bytes. The MD5 checksum is the following string: 0x87CF88122428CD55A5CB5A2786C1F794

The PaySlip.scr file in the Invoice.zip attachment has a file size of 496,321 bytes. The MD5 checksum is the following string: 0x3FFEEF5BA1F92C5AA592E6C8DF202902

The following text is a sample of the e-mail message that is associated with this threat outbreak:

> Subject: Pixmania Gift Voucher (50 EUR)

Message Body:

bando_top_focus
pix
Mark has sent your a gift voucher at value of 50 EUR. This gift voucher may be redeemed against any product(s) on our website.
Value: 50 EUR
Claim code:
attached in a letter
Expire date: 2013-04-15
How to use gift vouchers
1.Take your pick from over 1 300 000 products on Pixmania.com.
2. Click on the "Add to basket" button and submit your order.
3. At the payment stage of the ordering process, enter the claim code on your voucher and click "Confirm". Several gift vouchers can be used to pay for the same order.
4. Your order is processed and your products are sent to you.

Or

> Subject: Order Confirmation(TT Payment Received from your bank)

Message Body:

Dear Sir/Madam,
We want to acknowledge the payment you made through your bank and want you thank you for your prompt response to our agreement. I have attached copies of the receipts and invoice for your delivery tomorrow .
Thank You for your co-operation and i wish we have more successful business together.
Regards,
A H Mohammed Gazzally

> Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco Threat Operations Center
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    3 | Cisco Security has detected significant activity on July 3, 2013. | | 2013-July-03 17:57 GMT
    2 | Cisco Security has detected significant activity on June 10, 2013. | | 2013-June-10 13:40 GMT
    1 | Cisco Security has detected significant activity on June 6, 2013. | | 2013-June-06 14:49 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products