Beware of funeral notice email scam leading to malware
January 13, 2014
Today I received an unusual email sent to one of my most rarely used accounts. In what turned out to be a malicious scam, the subject was: "Passing of your friend." That subject is certainly written to get your attention! The following was in the body text.
The Amos Family
Hereby we want to share your sorrow for your dear friend who passed away on Friday, January 10, 2014.
You are cordially invited to express your sympathy in memory of your friend at a celebration of life service that will be held on Monday, January 13, 2014 at the Ocker Funeral Home, Arkansas.
Please find more detailed information about the memorial service here.
Funeral Home Secretary,
The word "here" contains a link to to a website in the Netherlands (youtubeforum.nl). The destination URL, which you can read on a PC by hovering over the link without clicking any buttons, is buried two folders under the root, in an aliased location named "/Funeral." Landing on that URL initiates the download of a file named: "FuneralProcession.zip" - which if opened contains a malicious file named: "FuneralProcession.exe."
Anybody who is tricked into downloading that zip file and opening its executable will have a Trojan installed on their PC. I guess I am the first to report this, as zero of 51 security scanners have looked at this file as of this posting. You can check the results on VirusTotal as the file gets analyzed, here.
In the meantime, if you receive an email like this one, know that it is a scam and delete it. Check the sender field to see if it corresponds to the name of the family or funeral home. In the case of the scam I received, the sender was listed as: "The Amos Family" <[email protected]>. Domains ending in .by are in Belarus, which is located in Eastern Europe, in the former Soviet Union. BY domains are registered to residents or citizens of that country. This email claimed to come from people having a funeral in Arkansas, which is thousands of miles away, on another continent.
The Amos Family name and email account is a forgery. When I traced the location of the sending computer (shown in the normally hidden headers), it too was located in Belarus, at 18.104.22.168, which is in Minsk, BY
So, even without an anti virus program scanning your email, one can see that the sender's email domain and the link URL have no correlation to the funeral notice location.
Stay safe this Winter. Scammers have been ramping up their efforts to infect as many PCs as possible with Trojan downloaders, which in turn download and install bank account stealing malware and other nasties. They will keep changing the subject lines to attract attention and trick you into clicking before thinking. No matter what version of Windows you are using, make sure it is equipped with up-to-date anti-virus and anti-malware programs, just in case you are tricked into clicking on a malicious link.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Movable Type 4.38