Fake Windows XP Activation Steals Credit Cards And Personal Details Including SSN
Kardphisher Trojan, which was first spotted in the wild in April 2007, is a malware that is mimicking the Windows XP activation interface while collecting the credit card details the end user submits. In the new version there are significant changes to visual interface and usability of the trojan, consequently improving its authenticity.
When a gullible end user falls victim into this social engineering attack, the credit card details end up automatically into an IRC channel specifically set for that purposes. Some of changes in the new version include more legitimately looking color scheme, improved restrictions making it much harder for the end user to close the application without submitting their credit card details, built-in validation of credit cards and email, next to displaying the current product key to make the application look more legitimate.
Once the user enters all the validated data, the new version of the tool automatically removes itself as if the activation was successful. A bogus “verified by Visa” message will then request social security number and a date of birth, which makes the trojan the perfect tool in the hands of identity thieves relying on nothing else but plain simple social engineering impersonation of Microsoft.
Systems affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. Once executed, the Trojan creates the file keylog.dll and creates the following registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunsoft2
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
HKEY_CURRENT_USERSoftwaresftc
The Trojan will shut down the compromised computer if the user does not enter their credit card numbers and prevents the user from running or switching to another application or task manager. Stolen information to be sent to http://81.29.241.170/in.*******.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.