Thursday, February 16, 2012

Fake CULT Order Confirmation Email Used to Spread Malware

CULT ClothingIf you receive a mysterious confirmation email for an order you don’t recall placing, beware! It may be a trap.

Security experts over at PandaLabs (of Panda Security) have come across a phishing email posing as an order confirmation email from CULT, a clothing retailer based in the UK.

The email appears to be carefully crafted by the cybercrooks behind it too. There are no obvious grammar or spelling errors, the sender's address is a  spoofed email and they build credibility with the consistent use of a fake confirmation number and details for a legitimate product sold by CULT in within the order details.

The only thing that may give it away is the order date, which is listed as "02/11/2007."

Here's the email:

CULT Order Confirmation Phishing Email

Image Credit: PandaLabs

From: []
Subject: CULT Order Confirmation (CULT78318)

Dear [NAME],

Thank you for shopping with CULT. Please look over the details below to ensure your order is correct.

If you have any queries with your order please contact us.

Please allow 3-5 days for delivery.

Payment Type: Credit/Debit Card

The order can be viewed by visiting:


Your Order Number is CULT78318             0/2/11/2007
What you bought…         Qty         GBP Price each  Sub

Superdry             1              174.99 GBP         174.99
Superdry vintage distressed leather Brad jacket made from super-soft full grain leather with six pocket design, embroidered motif on shoulder and layered collar detail. As worn by David Beckham.

Colour: brown
Size: M
Item Code: BU0105010040

Total: 174.99
Voucher: -0.00
Delivery: 16.00

Total + Delivery: 190.90

Unit 60
The Runnings

GL51 9NW

Unfortunately, targets of this phishing email are in for a rather unpleasant surprise if they decide to click the link to "view the order details" and download a malicious EXE file masquerading as a harmless PDF file. Inside that executable hides a nasty Trojan with bot capabilities, dubbed “Ainslot.L” by PandaLabs.

Once Ainslot.L makes its way onto your computer, it will create/modify registry keys to make sure it runs on startup and bypass the system firewall, seek out and remove any other data-stealing Trojans that may be hiding on the system and then proceed to leverage its own keylogging capabilities in order to steal account logins – regardless if it’s to your bank account or social networking profile – and relay that data to the cybercriminals behind it.

Sounds like fun, right?

To avoid having their PC infected with the Ainslot.L Trojan, users should:

  • Avoid following links within unsolicited emails, even if they appear to be legitimate.

  • Avoid downloading any files from untrusted sources.

  • Always run antivirus software on their PC and make sure the virus definitions are current.

  • Make sure their email client is protected by a comprehensive spam and malware filtering solution.

Stay safe, folks!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment