Over 560 Internet crime complaints regarding spam e-mails, receiving have been filed in the USA IC3 Internet Crime Complaint Center on November 3 this year. The complaints consists of that a lot of E-ZPass users – a system, combining more than 26 road agencies in the US and 15 countries all over the world for gathering road, bridges and tunnels toll-taxes –have received e-mails stating that they have not paid their toll-bills for using the above, possibly containing phishing and malware.
The spam e-mails contain messages warning the victims that they have not been paying their E-ZPass tolls and give instructions how they can do that. The instructions are into a specifically attached file looking like an invoice. What it does though is actually leading to a ZIP file, containing malware. Opening it on a computer the victim’s machine is infected at once. It looks like the messages are not trying to force the recipients to pay anything though but only to install the malware on their machines.
‘Some of the command and control server locations (of the malware) are associated with the ASProx botnet, which has previously disseminated other spam imitating major retail stores. It does not appear the E-ZPass e-mails actually attempt to entice recipients to pay anything. Rather, the infected machines are reportedly used for advertising click-fraud.’, a statement from November 3 in the official IC3 web-site on the case says.
ASProx botnet, also known as Aseljo or Badsrc, is performing SQL ‘injections’ and phishing scams to users in order to spread malware. It has been known to security researchers from around 2008. These campaigns have double effects now as they contain malware, infected web-site links and attached files. They continue to grow and give the attackers the opportunity to affect wider range of computers. The ASProx botnet was connected with Russian affiliate programs in the past in which the hackers were making profit by infecting machines with fake anti-virus software. Now Asprox has been upgraded to make such campaigns even more effective. It already also uses campaigns on different languages, spreading malware to a maximum number of victims.
IC3 and their partners state that there is a new tendency for such breaches on high-profile organizations now. Along with regular phishing attacks advertisements appeared, offering security breaches and data leaks due to compromised security certificates on dump web-sites. They also usually contain is a small sample of unsecured credentials. The standard price for these is about 0, 5 – 1453 Bitcoins each, other virtual currencies are sometimes accepted as well.
‘The IC3 have identified a recent trend which occurs shortly after a high-profile organization suffers a data breach. Along with the normal phishing attacks expected from a high-profile breach, false advertisements offering the ‘full leaked database’ of compromised account credentials for sale have also appeared on various dump sites. Advertised pricing has ranged anywhere from 0.5 – 1.453 Bitcoins, and other virtual currencies are sometimes also accepted. Each advertisement usually includes a small sampling of compromised credentials reported to be from the breach, but further analysis of the sampling indicates the records are invalid.’, is the exact agency’s statement. act agency’s statement.