« main.php Malware Lures Continue | Main | Fake BBB Malware Lure »

December 14, 2011

Well, it has been a "good" run for the main.php guys. Perhaps they got as tired of their drive-by technique as I did receiving their messages. In today's latest, the messages have a similar ring to them, primarily focused on some alleged FDIC transaction nonsense. Here are a few examples of the messages:

Subject: Suspension of your transactions

Dear customer,

In order to diminish the number of wire fraud cases, we have introduced a new security system. In this connection all the ACH and WIRE transactions of our customers will be suspended until your security version meets the new requirements.. In order to reinstate your account abilities, you are required to install a special security software. You may use the link below and follow the instructions to proceed with the installation.

http://fdic.gov/updates/49378441
We apologize for causing you troubles by this measure.
Please do not hesitate to contact us if you experience any problems.

Yours truly,

Federal Deposit Insurance Corporation
Security Department

======================================

Subject: For the urgent attention of Accounting Dpt.!

Dear Sirs,

In connection with the introduction of a new security system for the purpose of preventing new cases of wire fraud, all the ACH and WIRE transactions on your account have been blocked until your security version meets the new requirements.. In order to re-establish the full functioning of your account, you need to install a special security software. Please open the link below to read the instructions and download all the necessary files.

http://fdicgov/updates/96042318
We apologize for any troubles caused to you by this measure.
Please do not hesitate to contact us if you have any questions.

Sincerely yours,

Federal Deposit Insurance Corporation
Security Department

======================================

Subject: Urgent notice from FDIC

Dear Sirs,

Due to our adoption of a new security system, for the purpose of preventing new cases of fraud and scams, all your account ACH and WIRE transactions will be suspended until you update your security version in compliance with our new requirements.. In order to restore your ability to make transactions, you are required to install a special security software. Please open the link below to download and install the latest security version.

http://fdic.gov/updates/28009746
We apologize for causing you inconveniences by this measure.
Please do not hesitate to contact us if you have any questions.

Yours truly,

Federal Deposit Insurance Corporation
Security Department

The links beneath the visible fdic.gov links go to hijacked web sites as before. But instead of loading the main.php URL into an iframe, these hijacked site pages load not one, not two, but three copies of a script, each from a different hijacked site — a redundancy that plans against possible shutdowns/cleanups of one or more sites. The scripts are loaded via simple <script> tags, and all three sources end in jqueri.js (not related to JQuery). The scripts consist of obfuscated JavaScript which decodes itself to execute a laundry list of JavaScript-controlled exploits on malware-susceptible PCs.

As an extra bonus, when the decoded script finishes, its last task is to redirect your browser to yet another site that has been known to load malware. Your browser — and perhaps your PC — will have been beaten to a pulp before this sequence finishes.

Again, the actual exploits being abused in this campaign aren't important to everyday users. But the social engineering techniques in the opening email salvos definitely are. Resisting to click on ominous links is hard. But resist you must!