Threat Intelligence Blog

Scammers launched an email campaign today that uses the Best Buy brand. A fairly obvious phishingPhishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait. email, it begins with the strangely worded subject line, “Delivery Canceling”, and contains a number of syntax and grammatical errors and oddities typical of low-end con artists. Examples include, “we will pay your money back less 17” and “your order was reserved for the time of Christmas holidays.”  This was either a very poor or possibly machine-based literal translation paraphrasing something that undoubtedly sounded natural in its original language.

Based on the copies of the message captured by Cyveillance, the embedded links lead to a version of the “Sweet Orange” exploit kit, resulting in a drive-by download. Neither VirusTotal nor Cyveillance Labs’ five-year history of “in the wild” infections have seen the exact binary before, indicating it is either a zero-day payload or, more likely, a padded or modified version of a known malwareMalware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs. package.  We are continuing to analyze this, but in the meantime, researchers can access the malicious site by accessing this URL (note, the HTTP string in the protocol must be corrected):

link1

(WARNING: This is an infectious link leading to a potentially dangerous payload. Not recommended outside of a safe/lab environment. Since these links are typically short lived, future searches should use the MD5 for the payload we received: b94e1b2ebd33d65de4601adffe18d10c.)

Additional Posts

Federal Financial Institutions Examination Council (FFIEC) Issues Social Media Guidelines

In early December, the Federal Financial Institutions Examination Council (FFIEC) released new ...

How “Harmless” Disclosures Can Put Executives at Risk

In our previous blog post, we discussed how corporate security professionals can protect executives ...