To my Italian friend, refill your phone card for free!

Every once in a while, we come across some highly targeted campaigns, especially against specific languages. Today, we encountered an Italian spam campaign with the malware Troj/Fagianom-A attached in a zip file. Often, non-English language campaigns are not seen by many spam traps, as these spam campaigns target users residing in specific countries. Fortunately, our world-wide spam traps enabled us to collect campaigns like this one fully.

The body text of the message is shown below:

Italian dialer 1

The text above roughly translates as:

Hello Carlo,

I send you attached the program to make free refills at any phone in a completely anonymous.

I found in a U.S. site, is a figata and runs bad and is free



I already reloaded 750 euros (ahahahahahahaha)

This malware relies on social engineering to work as free cell phone usage is quite enticing for many people. For the curious users who execute the zip file, the trojan dials to a premium rate dialup service and redirects the user to a pre-specified website. So, instead of getting free perks a user would end up paying for a costly premium dialup service.

Digging through the archives, we discover two previous campaigns from the same IP source, as shown below. The first of the two asks the users to open the attached file because it contains their photo that they can show to their friends. The second tells the users that they are eligible for tax refund. Both encourages a curious user to execute the payload.

Italian dialer 2


Since you are the person in the photos attached …

Watched by the people you are close.

A friend

Italian dialer 3


Dear friends,

Ferrovie dello Stato is pleased to inform you that from 1 May 2008 you can request a refund on late made on all domestic routes.

As a result, we inform you that our audit, deserves a refund of Euro 780.00.

Please see the attached form and follow the instructions to send us this form.

Repayment will be by bank transfer no later than 5 working days of receipt.

————————————————– ————————————————– —

In the case of any problems with the mdulo Annex, can visit our site
or download the form here

————————————————– ————————————————– —

Some of having done what welcome
Sincerely Porgiamo

Ennio Zibris
Head Refunds
Trenitalia S.p.a.

The above campaigns were detected proactively by our anti-virus and anti-spam solutions when they first appeared. This goes to show the value of heuristics and proactive means of detection – customers are protected before malwares and spams are sent.