Malware-laden fake YesAsia invoices spammed out

Filed Under: Malware, Spam

YesAsia Trojan horseYesAsia.com is a popular online retailer that sells Asian and Western products. Think of a website like Amazon.com, but with a focus on selling movies, music, and electronics to customers in Asian countries.

Unfortunately, it seems that cybercriminals are trying to take advantage of YesAsia's popularity by spamming out malicious emails posing as invoices.

Here's an example, claiming that the recipient's credit card has been charged for the purchase of a Logitech webcam and a Freecom external hard drive:

YesAsia malicious email. Click for a larger versionClick on the above image to see a larger version.

Be wary if you receive one of these emails, as the links do not point to yesasia.com but to a ZIP file on yesasia-invoices.com instead.

YesAsia-invoices.com is not a real YesAsia website, and was registered by somebody just yesterday for the purposes of duping PC owners into installing the malware.

Domain registration for yesasia-invoices.com

The .ZIP file is detected by Sophos as Mal/BredoZp-B and the .EXE contained within is detected as the Troj/VB-FPL Trojan horse.

You should always be suspicious of unsolicited emails, and please remember to keep your anti-virus software up-to-date.

, , , ,

You might like

4 Responses to Malware-laden fake YesAsia invoices spammed out

  1. Daniel M. · 1022 days ago

    Found this one lurking through our event logs this morning:
    C:Users<removed>AppDataLocalTempTemp1_Invoice-Y4C20111010C34[1].zipYesasia Invoice Y4C20111010C34 2011-10-10.exe

    After it ran it placed the file scanned by Virus Total below:
    http://www.virustotal.com/file-scan/report.html?i...

    Virus total result for "Windefender.exe" which was found in the users %AppData% folder also found "Windefender.exe.jpg" stored in the temp folder of the users computer. It was logging the users keystrokes to a file named "windows" in the %AppData% folder as well

  2. Angie · 1020 days ago

    There is another twist to this I think...:

    I had two copies of this email today. Both were sent to addresses associated (uniquely) with two Paypal accounts of mine (i.e., email address at my own domain with "paypal-something" before the @). Furthermore both emails were addressing me by my full name.

    Could it be that Paypal got hacked?

    • Tereas · 1004 days ago

      I can also vouch for this link to Paypal, I changed my name (due to divorce) on all accounts other than Paypal. I received the spam mail and was rather suprised to see it addressed to my old married name. Something I've not seen for 3 years...

  3. Paul · 1020 days ago

    Hi

    I got one and panicked. I cannot open zip files.

    Anyway do you have any advice as to what I should do?

    Paul

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.