Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

DividerDivider
Home    About    New Articles    RSS Feed    Subscriptions    Contact
DividerDivider
Bookmark and Share









Fake Membership Confirmation Emails

Summary:
Links in emails supposedly confirming membership of a website or online service actually lead to a trojan (Full commentary below).



Examples:(Received, August 2007)
Dear Member,

Thank You for Joining Resume Hunters.

Account Number: 99484233616
Temp Login ID: user2726
Temorary Password: ty408

Please keep your account secure by logging in and changing your login info.

Follow this link, or paste it in your browser: [Link to malicious website removed]

Thank You,
Technical Services
Resume Hunters

Greetings,

Here is your membership info for Ringtone Heaven.

Confirmation Number: 868414332499
Your Temp. Login ID: user3355
Your Temp. Password ID: ve415

Please keep your account secure by logging in and changing your login info.

This link will allow you to securely change your login info: [Link to malicious website removed]

Enjoy,
Technical Services
Ringtone Heaven



Commentary:
Since June 2007, a series of fake eCard notification emails have been hitting inboxes around the world. Links in the emails lead to malicious websites that can install a trojan on the user's computer. In August 2007, the criminals responsible for the fake eCard messages changed tactics a little and began distributing bogus membership confirmation emails like those included above.

The emails supposedly contain temporary login details for a website providing a service such as resume listings or ringtone downloads. The recipient is urged to secure their account by logging on and changing their login details. However, the login link in the email actually points to a website that attempts to use a Windows vulnerability to install a trojan. It may also attempt to trick the visitor into manually installing malware components. The bogus web page may contain a message similar to the following:
If you do not see the Secure Login Window please install our Secure Login Applet.
If the visitor clicks on the "Secure Login Applet" link, a trojan will be installed on his or her computer. Once installed, the trojan may then download other malware components from the Internet.

Like similar malware emails, the message tries to make the recipient curious enough to click on the link without due caution. Recipients may be concerned that they have been signed up for an unwanted service without their knowledge or permission and therefore click the included link in the hope of rectifying the issue. Or they may believe that they have been given a free membership as a gift or by mistake and click on the link to access their new "service".

As well as the two shown above, the trojan emails offer a variety of other bogus memberships as bait including access to MP3 websites and online dating services. The bogus links in the messages are usually shown as IP addresses rather than normal website addresses. They have a range of subject lines, including the following: The perpetrators of this ongoing malware attack may well change tactics again at any time. Internet users should be very cautious of, not only supposed eCard notification emails and the fake membership messages discussed here, but also any other unsolicited emails that ask them to click an included link. It is also vitally important that all Windows users ensure that they have the latest security updates installed and use a firewall along with anti-virus and anti-spyware scanners.

References:
Postcard From a Family Member Malware Email
Zhelatin/Storm changes yet again
Morphing ECards
Malicious eCard Emails Continue

Last updated: 22nd August 2007
First published: 22nd August 2007

Write-up by Brett M. Christensen

Similar Articles:
Dell Online Store Trojan Email
Customer Support Center Robot Worm Email
Storm Worm Hitting Inboxs Worldwide