June 08, 2012, 1:33 PM — A particularly effective-looking bit of phishing spam is circulating in the U.S. right now, disguising itself as an errant document sent from a smart, Internet-connected printer used by a business partner or colleague at the same company.
The subject line meets one of the two major criteria for a really effective lie: It is designed to be so routine and uninteresting that few victims will thing about it long enough to doubt its authenticity: "Fwd: Scan from a HP ScanJet #XXXXXX"
The numbers at the end vary, as does some of the text in the body, though most are very similar.
A document was scanned and sent to you using a Hewlett-Packard ScanJet OFC993-2P
Sent to you by: A.L.
Pages : 8
Filetype(s): Images (.jpeg) View
Clicking on the image takes victims to one of three Russian web sites: dsakhfgkallsjfd[.]ru:8080, doosdkdkjsjdfo[.]ru:8080 or debiudlasduisioa[.]ru:8080.
Each is loaded with a Phoenix Exploit Kit (PEK), which has been successful enough to keep itself viable since it first turned up in 2007.
When a victim hits the malware site, a PHP script hits a MySQL database that collects statistics on who the visitors are and where they came from. It then serves pages designed to exploit the specific collection of browsers, anti-virus and operating system the victim uses.
The specific attack uses known vulnerabilities in Flash, PDF and Windows primarily, though also Java and Adobe Reader. It downloads the malware payload along with an additional layer of code that hides what the malware is doing while it unpacks and installs itself, to protect against antivirus.
That's just to get the exploit code in place, however.
The real payload is part of the Bugat/Feedo banking-information-stealing family of malware, which security company FrontOne describes as being similar to the scarily effective AeuS and SpyEye.
The Feodo Trojan that seems to be the dominant attack module is not part of a commercial malware kit, however, as the others are. It is more likely the property of one gang, FrontOne guesses.