Warning to Webmoney users: phishers began to send a fake client program

Hello reader!



Today I want to tell and warn about the new (for me) method of taking money from the “population”. This time, the users of the rather popular Webmoney service act as the population. A very funny letter fell to the post today, allegedly from Webmoney:

Dear WebMoney Transfer member!

')

WebMoney system has released a new version of the program.

WebMoney Keeper Classic 3.8.0.0 which does not require

installation and takes only 1.5mb

This program is in the closed access and

sent to the mail of our customers for security purposes.

The program is in this message.



This is an automatic letter. If you have any questions, you can

study Reference information: www.webmoney.ru/rus/about/demo

or send a question to support@wmtransfer.com



Respectfully,

Team WEBMONEY TRANSFER

And everything would be fine, but Webmoney:

• It does not seem to send its programs to e-mail;
• Not published any information about the new version of the program;

In the text of the letter, among other things, there was also an “English-language” version of the message, but with terrible syntax errors. This is what made me look at the headers of the letter, and that's what it was there:

X-Kaspersky: Checking

Return-path: <mrpotolo@biz12bl.bizhosting.ru>

Received: from [82.140.91.142] (port = 59507 helo = biz12bl.bizhosting.ru)

by mx43.mail.ru with esmtp

id 1Le70Z-0000iy-00

for orenlab@list.ru; Mon, 02 Mar 2009 15:12:31 +0300

Received-SPF: none (mx43.mail.ru: 82.140.91.142) client-ip = 82.140.91.142; envelope-from=mrpotolo@biz12bl.bizhosting.ru; helo = biz12bl.bizhosting.ru;

X-Mru-PTR: none

X-Mru-NR: 1

X-Mru-OF: unknown (unknown)

X-Mru-RC: RU

Received: from mrpotolo by biz12bl.bizhosting.ru with local (Exim 4.69 (FreeBSD))

(envelope from <mrpotolo@biz12bl.bizhosting.ru>)

id 1Le70X-000Efj-36

for orenlab@list.ru; Mon, 02 Mar 2009 15:12:29 +0300

To: orenlab@list.ru

Subject: WebMoney Keeper Classic 3.8.0.0

X-PHP-Script: mrpotolok.ru/svids/svf/wmwids/mail.php for 95.84.11.76

MIME-Version: 1.0;

Content-Type: multipart / mixed; boundary = "- 8f71e28220cb8225029c69bbb564bc9f"

From: WebMoney <support@wmtransfer.com>

Message-Id: <E1Le70X-000Efj-36@biz12bl.bizhosting.ru>

Sender: User Mrpotolo <mrpotolo@biz12bl.bizhosting.ru>

Received: for <orenlab@pop.list.ru>

Date: Mon, 02 Mar 2009 15:12:29 +0300

X-Spam: Not detected

In general, seemingly ordinary spam, if not for one thing! In the attachment was an executable file named WebMoney Keeper Classic 3.8.0.0.exe, having the same icon, and moreover, compiled with the same information as the real one:

Version language: Russian (Russia)

CompanyName: CJSC Computing Forces

FileDescription: WebMoney Keeper Classic Runner Module

FileVersion: 3, 6, 0, 1

InternalName: WebMoney Keeper Classic

LegalCopyright: Copyright 1998-2008 by CJSC “Computing Forces”

LegalTrademarks: WebMoney Transfer

OriginalFilename: webmoney.exe

ProductName: WebMoney Keeper Classic

ProductVersion: 3, 6, 0, 1

Comments: WebMoney. Confidence Internet Information Service Technology.



Creation Date: 03/02/2009 20:15:27

Last Modif. Date: 03/02/2009 20:15:30

Last Access Date: 03/02/2009 00:00:00

FileSize: 1586688 bytes (1549.500 KB, 1.513 MB)

FileVersionInfoSize: 2244 bytes

File type: Application (0x1)

Target OS: Win32 (0x4)

File / Product version: 1.0.0.0 / 1.0.0.0

Language: Russian (Russia) (0x419)

Character Set: 1251 (ANSI - Cyrillic) (0x4E3)

I didn’t run it, as common sense tells me that you shouldn’t do it :). Be careful, and you should not lose control or money from your keeper Webmoney because of your carelessness.



PS I, of course, sent this example to Webmoney security service, but I think it would not be superfluous to notify a wide audience as soon as possible (I know that not only information security gurus are present at Habré)