Rash of Spam Uses Social Engineering to Exploit Victims

Spam claims to offer free tickets and a trailer of new movie.

by / May 25, 2007

A wave of spam containing the Pirabbean.A Trojan has been discovered. This junk mail tries to attract users' attention with references to the latest episode of the Pirates of the Caribbean saga. The e-mail includes an image that looks like promotional material for the film and claims to contain a trailer and the chance of free tickets if you are in North America or Europe. The message subject simply says: "Pirates of the Caribbean: At world's end."

"This is another example of social engineering in action. Malware creators try to entice users into infecting themselves. For this reason, users should always be cautious and not even open messages from unknown senders, no matter how tempted or curious they are," advises Luis Corrons, technical director of PandaLabs.

The mail includes two links that supposedly point to trailers. However, if users click on them, they are really downloading Pirabbean.A.

"Of course, there are no tickets," warns Paul Ducklin, Head of Technology, Asia Pacific, at Sophos. "And there is no film trailer -- just a malicious program which tries to download further malware from the internet. Remember: if an e-mail sounds too good to be true, then you can safely assume that it isn't true."

When the Trojan is run, it shows an error message. This claims that there has been a problem playing the trailer as the computer does not have the necessary codec, and users are advised to visit the film's official Web site.

"If after clicking on the link nothing happened, users would be suspicious. So in this way, the Trojan hides its malicious action and prevents users from checking whether they are infected," explains Corrons.

Pirabbean.A is also designed to download a dialer, detected as Dialer.KGC. As with all dialers, it is designed to switch the dial-up Internet connection to a premium rate number.

The Trojan also edits some Internet Explorer settings, adding two URLs to the Favorites. If users visit these pages, they will be infected with other dialers.

Ducklin reminds users that there is an easy solution to the risks posed by unknown or unlikely e-mails: "Don't try, don't buy, don't click, don't reply!"

Gina M. Scott Writer