CryptoKitties cooperation phishing

Another cooperation phishing attempt, addressed to Youtubers.

This week I got some emails regarding a cooperation with Cryptokitties. The same email arrived yesterday that Pierre Carding wanted to work with my little YouTube channel. The messages are always the same, there is a promise that a lot of money needs to be spent, and you will get a lot of money.

I know the story, and usually this is a lame attempt to have users downloading malware. So I responded to the mail and got a link back to download a media kit. The mail server they are using is from “centrum.cz”, from what I can see, they offer some free mail addresses.

The media kit is hosted on a Google Drive account, and it is password protected.

The download is very small, less than one Megabyte. It is a ZIP file which I only open on my Linux virtual machine. Of course, the file is password protected. This is an old trick, so antivirus software can not check the file when downloading.

Once we have opened the small file, we can see that the size just increased massively. This is another trick called an archive bomb. In general, I always recommend uploading and check those files with services like VirusTotal.com, but checking big files is hard, since the file needs to be uploaded and these services often have a file size limit.

OK, let us have look to the extracted files. Here we have the usual suspect, a mp4.scr file. An SCR file is nothing less than a Windows screensaver, which is nothing less than an .exe file. Once you start this file on your Windows machine, your computer will become infected.

The upload took around 10 minutes with my fast internet connection and was no disappointment:

On the bright side, 10 scanners detect, that something is very wrong. On the dark side of antivirus software, 41 of 61 did not detect anything yet, so there is a good chance that your local virus scanner will not prevent you from executing that file and infecting your system.

So if something sounds to good to be true, it usually is.

Leave a Reply

Your email address will not be published. Required fields are marked *