Site icon Panda Security Mediacenter

Cybercriminals taking advantage of the Japanese earthquake

Yesterday we saw a message that promised to show you a video about the disaster after the earthquake and the tsunami. It included a link, that was an executable file:

http://<>/consulado/japones/urgente/desespero-da-equipe-de-resgate-ao-encontrar-milhares-de-corpos-816283hDGJDj36378.youtube.com-AVI.exe

This is just a downloader, that downloads and installs more malware in your computer. It also downloads a HOSTS file and overwrites in your computer to redirect the browser in case you visit any of the following web sites:

www.banespa.com.br

banespa.com.br

www.santander.com.br

santander.com.br

caixa.com.br

www.cef.gov.br

cef.gov.br

www.cef.com.br

www.caixa.gov.br

caixa.gov.br

www.caixa.com.br

live.com

www.live.com

www.msn.com

cef.com.br

internetbanking.caixa.gov.br

internetbanking.caixa.com.br

internetbanking.cef.gov.br

internetbanking.cef.com.br

www.e-gold.com.br

e-gold.com.br

www.e-gold.com

e-gold.com

www.bradescoprime.com.br

www.cetelem.com.br

cetelem.com.br

www.cartaoaura.com.br

msn.com

www.msn.com.br

login.live.com

cartaoaura.com.br

bradescoprime.com.br

www.itaupersonnalite.com.br

itaupersonnalite.com.br

americanexpress.com.br

www.sicredi.com.br

sicredi.com.br

portal.sicredi.com.br

www.realsecureweb.com.br

realsecureweb.com.br

www.hotmail.com

hotmail.com

www.americanexpress.com.br

www.americanexpress.com

www.real.com.br

www.bancoreal.com.br

real.com.br

bancoreal.com.br

www.hotmail.com.br

hotmail.com.br

itau.com.br

www.itau.com

itau.com

imagem.caixa.gov.br

imagem.caixa.com.br

imagem.cef.gov.br

imagem.cef.com.br

www.bradesco.com.br

bradesco.com.br

www.bradesco.com

bradesco.com

www.itau.com.br

www.realsecureweb.com.br

Taking a look at the URLs where the HOSTS file is located, we have found another directory in the same server that contains some highly suspicious folders:

This is what we see if we visit some of these folders:

These are phishing sites to steal your credentials. Don’t worry about this one, as since yesterday we are blocking the URLs and the malware was proactively detected with TruPrevent.

If you really want to help our Japanese friends, please click here and donate now.

Exit mobile version