Social Networking Sites under Spammers’ Attack: Spoofed Orkut Emails!

Spammers and other cyber-criminals are increasingly using social networking sites to spread their malicious content. Recently we have informed you about new spam campaigns targeting Hi5 and Facebook web sites. This time researchers from Websense Security Labs have discovered a new malicious social-engineering spam campaign being spread as official emails from Orkut web site.

Orkut is a Web 2.0 social networking site run by Google. The service states that it was designed to help users meet new friends and maintain existing relationships. Everybody can join Orkut with their Google account and start creating their profile and communicating with friends. This social networking site is one of the most popular social networking sites in Latin America (the most visited in Brazil) and the second most visited site in India.

The spam message that potential victims receive appears to be from the domain google.com. The spoofed email informs recipients that their Orkut account is being investigated and will be terminated within 72 hours. If they don't want their account to be closed users are prompted to click on the provided link and follow the necessary instructions.

Below you can see a screenshot of a sample email:

After clicking on the provided link, the user will get a malicious executable file installed in his or her computer. This is a Trojan Downloader called "regulamento_orkut.exe" (SHA1:8eb1366d580aeab38d00a5c32835006c3648b8f3). The problem with this executable is that it has a very low detection by anti-virus software. Moreover, when run, this malicious executable file will download one more malicious file "fax.exe (SHA1: 8e1df3d55a778550affea7c5216e58a55beaf979). The second malicious file copies itself to multiple locations on the infected machine with different names. It will also add itself to startup and monitor browser activities so as to steal user information.

Below you can see a screenshot showing the malicious "fax.exe" downloaded onto the infected computer:

Once more everybody is warned to look with suspicion at any unsolicited emails and links that recipients are prompted to follow. The best solution in this situation would be to delete any similar emails even without reading them. In case you think that the received email is not part of spam campaign, you must be 100% sure of its legitimacy before clicking on any of the provided links or attached files. Of course, you should also don't forget to keep anti-spam filters and anti-virus software up-to-date.