By Dave Michmerhuizen – Research Scientist, Luis Chapetti – Security Researcher
It’s wonderful to get a gift in the mail, even in your email, but while a gift delivered by the Post Office isn’t likely to take over your house and empty your bank account, a gift received via email might do just that.
Take this recently intercepted spam campaign as an example. It says you’ve recieved a 100 Euro gift voucher to use on Pixmania, a popular European e-commerce site
You may not be 100% sure who Gretchen is, but who cares? You’ve got 100 Euros! All that needs to be done is to get the voucher code, whatever that is.
So you open the attachment to see this.
There was a time when everyone knew what this image represented. ‘voucher’ is a Windows screen saver, a type of executable program, and double-clicking on that icon will indeed run it Were you to do so, you would be running TROJ_DROPPER, a simple bit of malware designed to download and install other malware. No voucher would appear on the screen. In fact, nothing appears to happen, and you might be tempted to think that the voucher file was broken in some way.
But the voucher program isn’t broken, it just isn’t doing what you might expect. Instead of showing you how to cash in your 100 Euros, it’s busy downloading and installing malware. In this case, a spambot (socks.exe) and a backdoor (hermes.exe.)
While it is possible to receive notification of a gift via email, you shouldn’t try to redeem them using a link in the email or, heaven forbid, an attached file. Use a web browser to navigate to the shopping site and retrieve it from your account there, or email the person who sent it to you and ask for further instructions.