Home Archive Fraud Transactions Warning Malware Email

Fraud Transactions Warning Malware Email

by Brett M. Christensen

Email warns that the recipient’s credit card has been involved in fraudulent transactions


Subject: Fraud Transactions

Hello there
Dear Valued Customer,

We have reasons to believe that your credit card has been involved in a number of fraudulent transactions we have spotted recently. Enclosed is the account statement with the list of transactions made with your credit card between 01.09.2008 and 03.09.2008. Please look carefully through the enclosed document; the last three of the listed transactions are the ones that we suspect to be fraudulent.

I would appreciate if you could find time to clarify this issue and confirm the transactions that you have made personally. This would help us both to have this issue resolved as quickly as possible.

Please find the Word-formatted copy of your account statement is enclosed in the archive attached to this message.

Shawn Carson
Manager of Credit Card Fraud Defense

Detailed Analysis:
According to this email, “Credit Card Fraud Defense” has detected that the recipient’s credit card has been involved in a number of fraudulent transactions. The message urges the recipient to open an attached file that supposedly contains an account statement with details about the transactions.

However, the message does not originate with a credit card provider and the attached file does not contain an account statement. Instead, opening the attachment can launch a malicious computer program that installs malware on the user’s computer.

Malware distributors regularly use similar tactics to fool unwary users into installing malware and trojans. By sending false information such as a warning about fraudulent credit card transactions, they hope to panic the recipient into opening the attachment without due caution. There have been a number of other malware emails that use the same basic idea. In some, the scammers may claim that the recipient’s credit card has been used to purchase an item or service that he or she knows nothing about. In others, they may claim that the recipient has been caught visiting illegal websites, or been accused of other wrong doings such as distributing spam or viruses.

In all such messages, the recipient is urged to open an attachment in order to find out more information about the supposed transactions or accusations. But, alas, the attachments will harbour malware that can infect the user’s computer. In many cases, once installed, the malware will download other malware components, harvest personal information from the infected computer and communicate with a remote server. It may also allow hackers to take control of the infected computer and use it to distribute even more malware or send spam messages.

The file name contains a large number of spaces between the “.doc” and the “.exe”. Because of the large gap in the file name, some users may not even notice the “.exe” file extension and just assume that it is a Word document as claimed in the email. And, this “double extension” ruse is especially effective if the computer is configured to “hide extensions for known file types”. The screenshot to the left shows the same file with this option enabled.As well, malware distributors often use clever tricks to make the malicious attachment seem innocent thereby increasing the chances that a user will open it. In this case, the attachment is a .zip file that contains a dangerous .exe file. However, the name of the .exe file has been disguised so that it appears to have a harmless .doc (Microsoft Word) file extension. The full name of the file is actually “Statement_01.doc.exe” as shown in screenshot on the right.
To help avoid worm and malware infections, users should be very cautious of any unsolicited emails that ask them to open an attached file to check transaction records or find out more about a supposed accusation or complaint. In fact, such malware emails are not hard to recognize if the user takes the time to properly analyze the claims in the messages before opening any attachments. For example, it is extremely unlikely that a credit card provider would contact a customer about alleged fraudulent transactions via an unsolicited email, especially when the message does not specifically name either the recipient or the provider. Moreover, entities such as the FBI or the CIA will also never send accusations via unsolicited emails.

First published: 10th October 2008
By Brett M. Christensen
About Hoax-Slayer