Researchers at security company AppRiver have issued a warning regarding a variant of the Fareit malware family which is using fake Amazon purchase confirmation emails to inject itself and steal any type of crypto currency that can be found on the target machine.


Troy Gill, manager of security research at AppRiver, details how his team have been monitoring, and blocking, what he describes as a stream of malicious emails during the last week. All posing as legitimate Amazon purchase confirmations, all stating that 'your order has been confirmed’ and all directing the reader to the attached, and infected, .doc file for the shipping and tracking details. If the recipient has macro's enabled in Microsoft Office, specifically Microsoft Word, then their machine will become infected upon opening that document. Although it has never really gone away entirely, the Word Macro threat has seen something of a resurgence in recent months and this is just the latest in a long line of examples.

"This family of malware is often distributed via Word documents with malicious macros embedded and has been known to drop multiple malware variants on the target machine" Troy Gill explains, continuing "in this particular case the malware quickly goes to work attempting to steal the Outlook password along with website passwords from various browsers such as Firefox, IE, Chrome and Opera. It then attempts to harvest account credentials for a lengthy list of FTP and multiple file storage programs."

It also starts looking for, and stealing, any crypto currency it finds on the target machine. A behavior that Gill says is becoming increasingly common in the threats they are seeing. "The anonymous nature and lack of regulation in the Crypto Currency market make it more akin to stealing actual cash than to committing wire fraud by raiding someone’s online bank accounts" he observes. Not that the perpetrators seemed to worried about that here, seeing as the last observed behavior of the malware was to drop a copy of Zeus onto the machine just in case any bank related data could be captured...

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.