Date: 06 May 2005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
A U S C E R T A L E R T
AL-2005.011 -- AUSCERT ALERT
"Infra-Pay" fraudulent e-mails and malicious web site
6 May 2005
AusCERT has become aware of fraudulent e-mails circulating widely to
Australian recipients. The e-mails entice users to visit a malicious web
site. This web site contains browser-based exploits which attempt to
download and install a trojan specifically designed to capture credentials
used to access secure websites and e-mail accounts.
The malicious web sites that are linked to in the e-mails attempt to
download and run an executable file, typically named server.exe. This file
is detected by multiple antivirus vendors as a variant of the trojan known
as Berbew (aka: Padodor and Webber).
Several browser-based exploits are attempted to facilitate the downloading
of this trojan. The trojan then attempts to install a keylogger to
facilitate the capture of internet banking and email credentials. The
captured details are stored in a file on the compromised system and later
uploaded to a website.
This exploit requires user interaction - deleting these e-mails as they
arrive and not clicking on any links they contain is a safe mitigation
Ensuring your computer is up to date with the latest windows patches and
allowing scripts to execute from trusted sites only will offer protection
against exploitation by this web site.
The exploits on this site specifically target Internet Explorer, so using
an alternate browser will also offer protection against exploitation by
this web site.
Updated antivirus signatures may allow detection of this threat. AusCERT
recommends regular updating of virus definitions to ensure the maximum
level of protection available from such threats.
For more information regarding protecting your computer from malicious
AusCERT has seen several different types of e-mail messages, but all
attempt to entice the reader to infra-pay.com. The following are some
examples known by AusCERT, but other varieties may also be in circulation:
known e-mail From addresses include:
o "Infrapay" <email@example.com>
o "infra-pay" <firstname.lastname@example.org>
o "Credits" <email@example.com>
o "InfraPay" <firstname.lastname@example.org>
o "infra-pay" <email@example.com>
o "Payment" <firstname.lastname@example.org>
known e-mail Subject lines include:
o You've got cash
o You've been sent money
o Claim your money
---- start example Infra-Pay email ----
You've just been sent money with Infra-Pay!
Memo: First part payment
To accept this payment, please go to http://www. infra-pay.com and enter
your claim code: 10829300.
If you do not wish to accept this payment, simply ignore this message and it
will automatically be canceled in 72 hours. You will also get a reminder to
claim your cash within the next 48 hours if you do not claim it now.
Infra-Pay.com is a new Internet payment system based on the newest payment
processing technologies. You will have the following options to withdraw your
- - Direct credit to your bank account in Australia, New Zealand or the
USA (usually takes 2 to 3 business days)
- - Order a cheque (incurs a $2.50 fee)
- - Order a free debit card (ATM withdrawal fees apply)
- - E-mail money to someone else
To accept this payment, please go to http://www.infra-pay.com and enter your
claim code on the front page. Your claim code is 10829300.
(c) 2005 Infra-Pay.com. All rights reserved.
---- end example Infra-Pay email ----
After the initial infection from:
An infected system will also attempt to contact the following sites:
Administrators may wish to actively block or monitor access to these domains.
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----