Author Topic: This time bad guys want me to book a hotel!!  (Read 7303 times)

0 Members and 1 Guest are viewing this topic.

true indian

  • Guest
This time bad guys want me to book a hotel!!
« on: August 02, 2012, 12:04:31 PM »
Scam/Malware by e-mail...


From: Booking.com [mailto:customer.service@my.booking.com]
Sent: 02 August 2012 10:04
Subject: Reservation Confirmation [8585292], Thu, 2 Aug 2012 10:03:44 +0100
Hotel Confirmation:
0189653
Date: Thu, 2 Aug 2012 10:03:44 +0100 ---
________________________________________
Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.
________________________________________
Arrival: Monday, August 06, 2012
Departure: Wednesday, August 08, 2012 Number of rooms: 1
________________________________________
Sincerely, Customer Service Team
Booking.com hxxp://Xww.booking.com
Your Reference ID is: 1252829
The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation.-Booking.com guarantees the best hotel rates in both cities and regional destinations - ranging from


With a attachment right in there...upoaded to VT:
https://www.virustotal.com/file/e0e419eb90d4a750a3ca9d16f7a91639fef1015e88af139935a3f0c77d828429/analysis/1343901215/
This is necrus malware...avast missed this...reported to avast via chest..
« Last Edit: August 02, 2012, 12:08:16 PM by true indian »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: This time bad guys want me to book a hotel!!
« Reply #1 on: August 02, 2012, 02:07:09 PM »
Is this the same malware that landed at MBAM here: http://forums.malwarebytes.org/index.php?showtopic=113535

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: This time bad guys want me to book a hotel!!
« Reply #2 on: August 02, 2012, 02:32:53 PM »
@Polonus,

Same MD5:
2ce385b38817dd05f4eeb50afc97d9b6
2ce385b38817dd05f4eeb50afc97d9b6
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: This time bad guys want me to book a hotel!!
« Reply #3 on: August 02, 2012, 02:49:19 PM »
This scam (hotel/flight reservations, etc.) has been around for ages (it is just the social engineering hook that changes, flights/hotels/UPS, etc. etc. 

I can't believe anyone falls for it much less downloading and opening the email and then open the attachment.

I find the whole email scam hook so obvious that I just flag for deletion at server level in my anti-spam application; they are like buses there will be another variant along soon, so I don't waste time investigating them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: This time bad guys want me to book a hotel!!
« Reply #4 on: August 02, 2012, 03:01:39 PM »
Hi !Donovan & DavidR,

But at the base of it is malicious iFrame code on the scam site wxw.booking.com, see below...
That is why I am posting this. When it has landed at MBAM, avast should also have been aware of the existence of it or have been notified.
But there is still another name it comes under: everygage.exe, and then we also land here: https://www.virustotal.com/file/e0e419eb90d4a750a3ca9d16f7a91639fef1015e88af139935a3f0c77d828429/analysis/1343901215/  (2hrs ago),
As I get DavidR right here, it is a repetition of older malcode that has to run a bit more stale to get detected again.
Nontheless the malicious iFrame should be flagged.

Just this is the suspicious iFrame code from that site htxp://www.booking.com/ on 894:  see attached image,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: This time bad guys want me to book a hotel!!
« Reply #5 on: August 02, 2012, 03:24:18 PM »
Not just a repetition of old code (or slightly modified) but the whole social engineering thing to get fools to open emails and either click links or even worse open attachments in unsolicited emails. There is a new variant of the social engineering hook, but the underlying purpose is to get you to open the email and or attachments or links in the email. There is also the possibility of remote execution (iframe) if you just open the email.

The iframe isn't an issue if the user isn't stupid enough to fall for the scam/phishing and deletes the obvious unsolicited scam email in the first place.

I'm all for a healthy dose of common sense as your first line of defence and not opening unsolicited email in the first place.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: This time bad guys want me to book a hotel!!
« Reply #6 on: August 02, 2012, 03:47:36 PM »
Interesting, I had one of these a few days ago and after the last post got another of them, and boy you have to be blind not to see this for what it is unsolicited scam email.

My MailWasher flagged it as spam, but my own custom filter 'Not to me2' really knocks it for six. If my email address doesn't appear in the To address it isn't personal but mass email. Since I'm not in the habit of sharing my hotel room why would there be multiple recipients to the email (has to be when you aren't in the To field). It is so damn obvious it is almost funny.

So I thought I would capture some images in mailwasher, because for me it is obviously spam at best, scam/phishing, malware at worst. Just say no, delete unsolicited email.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: This time bad guys want me to book a hotel!!
« Reply #7 on: August 02, 2012, 05:19:24 PM »
Mail malware is usually quicly detected..... they all get samples quick,and 5 minutes later many detect
https://www.virustotal.com/file/e0e419eb90d4a750a3ca9d16f7a91639fef1015e88af139935a3f0c77d828429/analysis/1343919437/

in 48 hours i guess you have 80-90% detection on this

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: This time bad guys want me to book a hotel!!
« Reply #8 on: August 02, 2012, 05:31:01 PM »
Unfortunately many can't get a common sense auto update to detect such scams, but it shouldn't be hard there are plenty of clues as outlined in my last post above. But the biggest is don't open unsolicited emails, just delete.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: This time bad guys want me to book a hotel!!
« Reply #9 on: August 02, 2012, 05:32:31 PM »
@ DavidR,

Well thanks for the heads-up. Every user educated by this thread and one more victim less counts.
We all started out as unaware, and now we know better.

@Pondus,
With scams it is like with bread, has to be a bit stale to better digest it,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: This time bad guys want me to book a hotel!!
« Reply #10 on: August 02, 2012, 05:40:42 PM »
Unfortunately many can't get a common sense auto update to detect such scams, but it shouldn't be hard there are plenty of clues as outlined in my last post above. But the biggest is don't open unsolicited emails, just delete.
newspapers have been full of Nigeria scam info for years....... still there are those that take the bait   ::)

true indian

  • Guest
Re: This time bad guys want me to book a hotel!!
« Reply #11 on: August 02, 2012, 06:51:56 PM »
I know guys..its same as MBAM case but this one has a different refrence ID....

And as it is...Its just not me using the PC...i just downloaded the attachment for fun to see what i get...and my guesses were correct...a new sample for avast!....This e-mail was in my Sis account....thank god! she didnt download it and i saw it before her...otherwise it would have shoot of my additional lines of security in alarm  ;D