Spam Attack Spreads Trojan Through Microsoft Hole

You need to be aware of fake emails being sent by criminals posing as Allergan Limited. Allergan is a widely respected, global, technology-driven multi-specialty health care company based in the UK, and with a presence in many countries around the world.

One of Allergan’s lines of business is medical testing. The fake emails being sent have the subject “Medical Laboratory Results: MEFHNAO796MEFHNAO791”. Who expecting lab results wouldn’t open an email claiming to have those results? Taking advantage of people when they are so vulnerable makes these attack that much more insidious.

The email goes on to state: “ Further to our telephone conversation, please find details attached in response to your medical information inquiry. I have been advised that you can contact them and they should be able to assist you.”

The attachment contains malware designed to exploit a Microsoft Office vulnerability that allows creation of a backdoor (BKDR_LIFTOH.AD). Through this backdoor the infamous Trojan ZeuS is uploaded to the victim’s computer. ZeuS steals information from its victims.

Typically this Microsoft exploit, BKDR_LIFTOH.AD, is distributed through social networking sites, and instant messaging. It is rare to see it done through spam. However recently there are three variants of this spam attack exploiting the BKDR_LIFTOH.AD to infect computers with ZeuS.

The second pretends to be from Estates Industry PVT. The subject being “Order Acknowledgement,” the email body reads: “We acknowledge & confirm your order for [product], as follows: Find herewith the attached order invoice.”

The third pretends to be from DENSO Manufacturing UK. This time the subject is “invoice document”.

So far the targets of these criminal activities are UK citizens. However all three companies have international customers so do not open these emails unless you can verify the source and authenticity via phone. For more on staying safe check out my book.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s