Hi All, Pand Labs findout in their research that email consists of Disaster msgs like in Spanish we’ve received with the subject ( Urgente ) Posible Terremoto y Tsunami con un 89 % de efectividad and that is of course false.
The message consists of different images and informs users about an alert of earthquake and tsunami in Chile. Besides, it passes itself off as a warning of National Geographic, in order to make it more credible. The target of this attack are users from Chile. It takes advantage of the recent disaster which took place in that country and tries to alarm the population, so that they trust the email and get infected. The message is the following: [image: Emaill_Chile_img1.jpg]*Email about alert in Chile*Emaill_Chile_img1.jpg (179.65 KiB) Viewed 557 times It contains several links, andi f you click any of them, you’ll access the website http://www.chile-national<blocked>phic.com from which a file called Alerta_TerremotoyTsunami.mpeg.exe is downloaded, which belongs to the Trojan detected as Banker.MGB. This Trojan modifies the file HOSTS so that when you access any of the affected websites (http://www.santandersantiago.cl and http://www.santander.cl), you are redirected to another website which seems to be original one. The first image belongs to the legitimate website and the second the fake one: . [image: Banco_Santander_real_falsa.jpg]*Real and Fake webiste*Banco_Santander_real_falsa.jpg (131.14 KiB) Viewed 557 times The second one could pass itself off as the original one. However, if you look at the address bar, you can see that it’s different from the usual one, as it belongs to an IP address: [image: Email_Chile_img2.jpg]*Fake web address*Email_Chile_img2.jpg (8.1 KiB) Viewed 557 times If you enter your login data to your online account, a message will be displayed informing you that for security rehaznos you have to enter the data of your coordinate card: [image: Banco_Santander_falsa_img2.jpg]*Fake website*Banco_Santander_falsa_img2.jpg (113.1 KiB) Viewed 557 times Then, a screen simulating that the information is being processed is displayed and then a website is opened informing you that the process has failed and that you should try it again later: [image: Banco_Santander_falsa_img3.jpg]*Fake website*Banco_Santander_falsa_img3.jpg (94.07 KiB) Viewed 557 times By then, the cybercrook will have obtained your login passwords and the data of your coordinate card. I used to consider cybercrooks as people without scruples for what they do, but to spread a false alarm using such a sensitive topic after what has happened in Chile, and on top of that to steal their money only proves that their scruples have no limits. *Posts:* 46*Joined:* Thu Jan 14, 2010 3:26 pm -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
