13:24 Warning users webmoney phishers have to send fake client program | |
| Hello Reader! Today I want to tell and warn about a new (for me) way of obtaining money from "people". As the population in this time are the users quite a popular service Webmoney. Fell today to the post office very funny letter, ostensibly from Webmoney: Dear participant system WebMoney Transfer! System WebMoney has released a new version of the program's WebMoney Keeper Classic 3.8.0.0 which does not require the install and takes only a 1.5mb This program is in the closed access and sent to the e-mail our customers for security purposes. The program is in the message. This is an automated message. If you have any questions, please explore the background information: www.webmoney.ru/rus/about/demo/ or send a question to address support@wmtransfer.com C Sincerely, Team WEBMONEY TRANSFER And everything is nothing, but Webmoney:
The text of the letter but not limited to all present and "English" version of the message, but with terrible syntax errors. That's what made me look at headers, and that's what it was: X-Kaspersky: Checking Return-path: <mrpotolo@biz12bl.bizhosting.ru> Received: from [82.140.91.142] (port = 59507 helo = biz12bl.bizhosting.ru) by mx43.mail.ru with esmtp id 1Le70Z-0000iy-00 for orenlab@list.ru; Mon, 02 Mar 2009 15:12:31 +0300 Received-SPF: none (mx43.mail.ru: 82.140.91.142 is neither permitted nor denied by domain of biz12bl.bizhosting.ru) client-ip = 82.140 .91.142; envelope-from = mrpotolo@biz12bl.bizhosting.ru; helo = biz12bl.bizhosting.ru; X-Mru-PTR: none X-Mru-NR: 1 X -Mru-OF: unknown (unknown) X-Mru-RC: RU Received: from mrpotolo by biz12bl.bizhosting.ru with local (Exim 4.69 (FreeBSD)) (envelope- from <mrpotolo@biz12bl.bizhosting.ru>) id 1Le70X-000Efj-36 for orenlab@list.ru; Mon, 02 Mar 2009 15:12:29 +0300 To : orenlab@list.ru Subject: WebMoney Keeper Classic 3.8.0.0 X-PHP-script: mrpotolok.ru / svids / svf / wmwids / mail.php for 95.84.11.76 MIME -Version: 1.0; Content-Type: multipart / mixed; boundary = "- 8f71e28220cb8225029c69bbb564bc9f" From: WebMoney <support@wmtransfer.com> Message-Id: <E1Le70X- 000Efj-36@biz12bl.bizhosting.ru> Sender: User Mrpotolo <mrpotolo@biz12bl.bizhosting.ru> Received: for <orenlab@pop.list.ru> Date : Mon, 02 Mar 2009 15:12:29 +0300 X-Spam: Not detected In general, a seemingly ordinary spam, if not one but! In the attachment was an executable file called WebMoney Keeper Classic 3.8.0.0.exe, having the same icon, and, moreover, is compiled with the same information as the present: Version language: Russian (Russia) CompanyName: CJSC «Computing Forces» FileDescription: WebMoney Keeper Classic Runner Module FileVersion: 3, 6, 0, 1 InternalName: WebMoney Keeper Classic LegalCopyright: Copyright © 1998-2008 by CJSC «Computing Forces» LegalTrademarks: WebMoney Transfer OriginalFilename: webmoney.exe ProductName: WebMoney Keeper Classic ProductVersion: 3, 6, 0, 1 Comments: WebMoney. Confidence Internet Information Service Technology. Creation Date: 02/03/2009 20:15:27 Last Modif. Date: 02/03/2009 20:15:30 Last Access Date: 02/03/2009 00:00:00 FileSize: 1,586,688 bytes (1549.500 KB, 1.513 MB) FileVersionInfoSize : 2244 bytes File type: Application (0x1) Target OS: Win32 (0x4) File / Product version: 1.0.0.0 / 1.0.0.0 Language: Russian (Russia ) (0x419) Character Set: 1251 (ANSI - Cyrillic) (0x4E3) Run I have not become as common sense dictates that doing so is not worth it:). Be careful, and should not be because of his inattention to lose control, or funds from their keeper Webmoney. P.S. I am, of course, sent the sample to the security service Webmoney, but, I believe, will not be superfluous as soon as possible to inform a wider audience (I know that "Habre" contains not only information security guru) _________ The text was drafted in HabraRedaktore | |
|
| |
| Total comments: 1 | ||
| ||
