Home Hackers Malware from Hell: Hackers Still Exploiting Epsilon Breach with Aggressive Email Scams

Malware from Hell: Hackers Still Exploiting Epsilon Breach with Aggressive Email Scams

Posted: April 20, 2011

Scammers are targeting YOU and have put together a vicious email scam, and this time bomb could be sitting in your in-box waiting for you to blindly open and click on its infectious and dangerous link.

Never download any file attachments named 'EX-38463.pdf.zip' or 'EX-38463.pdf.exe', because it is malware from hell!

Recently, the world was shocked to learn that cybercriminals successfully hacked the world's largest 'permission-based' email database, and stole an undisclosed amount of email addresses. Epsilon, owner of the compromised database, outsource their marketing services. Many people were unpleasantly surprised to learn that they were personally connected and victimized. Many questioned the truthfulness of what was actually stolen, and think the historical heist could very well extend beyond a name and email address, especially since Epsilon collects or tracks other personal information about you.

The data breach continues to endure aftershocks in the form of a growing lists of companies (clients of Epsilon) and persons affected, and developments alluding to a four-month, detailed warning of a possible attack. As a result, a probe is underway by the FBI, Congress and the Attorney General. However, in the meantime, Mr. Cybercriminal is personally knocking on your door with his latest email scam. Angry PC users have identified the following email in their inboxes:

From: SUPPORT SYSTEM [underseasro@exdelivery.com]
To: example@netscape.net
Subject: Request Rejected
Date: Wed, 13 Apr 2011

Dear Sirs,

Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below.

Thank you Best regards.

Cybercriminals have attached a venomous zip file that when unzipped downloads a nasty executable , which, unfortunately, releases the perfect malware storm, a mix of clever and deadly Trojans.

EX-38463.pdf.exe (file size = 14,848 bytes) aka Trojan Win32/SillyDI.XRH, is a familiar pest known to download and execute other malicious files via FTP or HTTP transfer. When executed, Trojan Win32/SillyDI.XRH will connect to malicious domain hdjfskh.net that in turn executes puske.exe aka Trojan Win32/FakeAV, who pushes the poisonous rogue security program known as Antivirus Antispyware 2011.

Crooked programmers have infused their rogue security program model with polymorphic coding, so that Trojans like TrojanWin32/FakeAV can mutate and alter their appearance (file names or skin/interface, including name), depending on the OS it invades. So variants XP Antispyware 2011, Vista Antispyware 2011, Win 7 Antispyware 2011 are all one and the same threat, and while the name may be different, this viral intruder uses the same scare tactics as all the other rogue security programs infiltrating cyber world and wrecking havoc on unwary PC users' screens. Click on the name/link here to learn more about what torturous behavior you can expect from Antivirus Antispyware 2011, a fake anti-virus program.

So that you may understand the deception planned by these evil and greedy scammers, you need to know that they are not limiting this nasty concoction just to this one email. We identified another type of email scam involving some of the same family of Trojans:

From: "DHL Global"
To:
Subject: DHL Express Services
Date: Mon, 4 Apr 2011

Dear customer,

The parcel was sent your home address It will arrive within 7 business days

More information and the tracking number are attached in document below.

Thank You
Copyright © 1994-2011 DHL, Inc. All rights reserved.

However, persons identified TrojanDownloader:Win32/Chepvil.J as being added to the wicked party list, and we're told this Trojan loves to open the back door of PCs to hackers for malicious use.

Who's Behind Malicious Websites like HDJFSKH.NET and Rogue Security Programs like Antivirus Antispyware 2011?

Oftentimes, a check of domain registrant reveals a repeated offender, and this is indeed the case of this malicious attack. We found the following record at domainstool.com:

Domain name: hdjfskh.net

Registrant Contact: Korso LTD
Andy Malsen admin@firtryt.biz
7569190 fax: 7569190
19/2 Sun street. Montey 201
Alabama AL 36003

Website Title: None given. (Registered but with no website)
ICANN Registrar: BIZCN.COM, INC.
Created: 2011-04-08
Expires: 2012-04-08
Updated: 2011-04-15
IP Address: 94.63.149.26
IP Location: - Romania - Cobalt It S.r.l

So What Does All This Mean To YOU?

Cybercriminals are not sleeping, especially since they have a massive list of possible new victims, so basically you need to KEEP YOUR EYES OPEN and practice good Internet security.

  1. First thing first: Keep an up-to-date anti-malware installed on your PC, and stay atop of software upgrades that oftentimes patch known vulnerabilities to thwart possible malicious attacks.
  2. Practice good housekeeping:
  3. a. Use strong password and if not certain yours measures up, double-check using Microsoft's online password
    checker (1).
    b. We shouldn't need to mention but, DO NOT WRITE DOWN OR SHARE your passwords or secret question/answers
    that authenticate it is really you!
    c. Schedule and regularly clean your cookies and browsing history.

  4. Do not blindly click on dubious links or download files. Never trust files by their icons but instead check the file extension and source of the actual email. When in doubt, pick up a phone to call and verify sender or use another 'trusted' online method. (Remember: Mr. Cybercriminal may have hacked into that person's account and is now an imposter).
  5. Stay aware from illegal downloads, i.e. pirating. Freeware, shareware and a codec (used to view those free movies) are known to be infectious since Trojans loved to cloak themselves undetected.
  6. Be careful when surfing unfamiliar websites or clicking on google search results. Some of these websites like hdjfskh.net were setup for malicious intent, and somehow Mr. Cybercriminal has manipulated these vicious sites in search engines.
  7. If you feel your PC has been infected, DISCONNECT FROM THE INTERNET and run your system in 'safe mode'. Hopefully, you have a legitimate anti-malware solution, and if so, you have a physical copy on disk or an external drive that you can upload to remove the venom, i.e. viruses, Trojans, aka rogue security programs.

Final Word

Yes, I know you are sick and tired of hearing about Internet security, viruses, Trojans, worms, malicious attacks by cyber criminals, but guess what? Cybercriminals never tire hearing and learning more about you, which is why they've invested in the study of social engineering. As much information about you they can collect, the easier it will be to scam and cheat you out of money and fatten their bank accounts. Let's change the myth that most PC users are ignorant in ways of Internet security and begin properly protecting our valuable data and PCs. Do not become their next victim!

Give us your opinion of this article or your take on the Epsilon data breach. Do you think they are being truthful and that the theft was only limited to email addresses? Do you expect more email attacks and are you prepared to protect yourself?

Loading...