A new spam campaign with an information-stealing malware attachment has been circulating since March 7, 2014. While spam emails are typically sent to many people, in this campaign, the spammer has limited their targets to administrators of online Japanese shopping sites.
The attacker may have targeted these recipients for various reasons. As most online stores provide contact details on their Web page, they become easy targets since their email addresses can be easily harvested by crawling sites. The attacker could also have targeted the recipients to get the companies’ account details in order to steal data maintained by the stores. The attacker may have also wanted to compromise the shopping sites in order to carry out further attacks against the store’s visitors.
The malware, detected as Infostealer.Ayufos, is a basic information-stealing Trojan horse that is built to steal practically any data that the attacker requires. It has the following capabilities:
- Captures screenshots
- Logs keystrokes
- Acquires clipboard data
- Steals account credentials for several applications
- Sends the acquired information to an email account using SMTP
The attacker does not appear to have put too much effort into this scam. The email merely contains a couple of basic sentences along with the attachment. The attacker doesn’t try to hide the fact that they have attached an executable to the message. In typical spam campaigns, attackers disguise the executable as an image file to make it appear legitimate. The attacker behind this campaign must have either aimed to compromise only a handful of computers or they hoped that there were enough gullible recipients out there.
Figure 1. An example of the spam email, which claims that the sent item is broken and requires a replacement to be sent back
Symantec identified earlier samples of Infostealer.Ayufos in December of last year, but we have seen a handful of variants ever since. The variants have not only targeted Japanese online stores, but stores for English-speaking regions as well.
Figure 2. An example of a spam message which asks the user to check the attached software
Figure 3. An example of spam messages targeting English-speaking regions.
While we don’t see attackers targeting online stores with spam campaigns every day, this occurrence is certainly not extraordinary. Cybercriminals continue to evolve and modify their strategies to catch their targets off guard. There is almost no doubt that this attacker will target users again. Online store owners should be wary when handling unsolicited emails sent from unknown senders and should follow best security practices regardless of the region.