We spotted an interesting case of a person complaining about e-mail malware with social engineering content which hits home almost too well, and decided to investigate a bit.
The person had been talking to his friend about possibly booking tickets to San Francisco in near future. And 6 hours after the phone call he got an e-mail about an electronic plane ticket to San Francisco with an attachment. The person was cautious enough not to touch the attachment, which was a good decision, as in our analysis it was identified as a variant of Trojan.Krypt.AU.
This may be just a case of mass spammed malware and with social engineering text which hit this particular user at just exactly the right moment. But when we checked our sample collection, there was only 1250 instances of related malware, which would indicate that this particular malware is not being spammed to large audiences. And thus possibilities of getting exactly the right hit are very small.
Over the last year providers of targeted advertising have become a lot better at profiling users. For example, when I have been browsing for flight or hotel information. I have started to receive e-mail about flight and hotel offers in that particular destination from Trip advisor and other companies. Of course in order to experience this one has to have Freedome disabled, so that I can be tracked, but that is the price of wanting to experience the net like a regular user.
So this case looks very much like some targeted advertising services were misused for victim discovery by malware authors. We have seen advertising misused a lot with search engines, but this is the first case where we have indications that e-mail advertising services would be used in similar manner.
So far there is no proof the victim selection was done by abusing targeting profiling, and if profiling was used, was it based on phone call analysis. Perhaps the person searched for something which provided a match for profilers. But this is an interesting case and we will be keeping an eye out for future developments.
Post by — Jarno
On 26/09/14 At 11:38 AM