Fake "Request Approved" Comprafacil Email Contains Link to Malware
The email message below with the subject: "Request Approved" or "Pedido Aprovado" is a fake and contains a link to a malware located on Google Docs. The email message was not sent by Comprafacil, although it appeared to have been sent from their email address. Please do not open the email, click on the link, or download the malicious file.
Comprafacil.com or Comprafacil.com .br is one of the top three e-commerce websites in Brazil.
The Fake Comprafacil Email
Subject: Pedido Aprovado
Date: Mon, 24 Jun 2013 01:38:19 -0300
From: Comprafacil @comprafacil.comPrezado(a) Cliente,
Gostariamos de informar que o debito em seu cartao de credito foi efetuado e o pagamento ja foi confirmado. Sua mercadoria ja esta em transporte.
Lembramos que para facilitar o recebimento, e necessario que haja alguem autorizado no local da entrega.
Previsao de entrega:
28/06/2013.
Para acompanhar seu pedido, por favor acesse o link abaixo:www.comprafacil.com/pedido.asp?pedido4782=sp?confirmada
Atenciosamente, SAC - www.comprafacil.com
Translated into English:
Subject: request Approved
Date: Mon, 24 Jun 2013 01:38:19 -0300
From: Comprafacil @comprafacil.comDear (a) Customer
We would like to inform you that the debit on your credit card and the payment was made has already been confirmed. Their merchandise is already in transit.Remember that to facilitate the receipt, it is necessary that there be someone authorized on-site delivery.
Prediction of delivery:
28/06/2013.
To track your order, please visit the link below:www.comprafacil.com/pedido.asp?pedido4782=sp?confirmada
Sincerely, SAC - www.comprafacil.com
Although the link in the email message appears to go to the website www.comprafacil.com at the following location, it does not:
- http://www.comprafacil.com/pedido.asp? pedido 4782=sp?confirmada
The link actually goes to the web page Cliente.html on the website sustente.org .br, located at the following web address:
- http://sustente.org .br/clientes/cliente02 /Cliente.html
The Cliente.html web page then downloads the malicious file from the Google Docs website at the following location, where the malicious file is stored:
- https://docs.google.com/ uc?id=0BzlAOijoJXwTMj VYNy1a WXRHTU0&export=download
The name of the malicious file is "pedido4782=spconfirmada.com".
Do not open this malicious file because you have an antivirus software installed. This is because only seven antivirus software were able to detect this malicious program.
Also, please remember that the name of this malicious file may change.
The following shows the list of antivirus software and the threat they detected when they scanned the file: "pedido4782=spconfirmada.com".
File name: pedido4782=spconfirmada.com
Analysis date: 2013-06-24 10:21:05 UTC
Threat:
- AntiVir TR/Symmi.20860.10
- BitDefender Gen:Variant.Symmi.18194
- Emsisoft Gen:Variant.Symmi.18194 (B) 20130624
- F-Secure Gen:Variant.Symmi.18194 20130624
- GData Gen:Variant.Symmi.18194
- McAfee-GW-Edition Heuristic.BehavesLike. Win32.Suspicious-BAY.K
- TrendMicro-HouseCall TROJ_GEN.F47V0624
If you receive the malicious email message, please delete it and warn your friends and family about it.
If you have already downloaded and open this file, please download and install one of the the free version of the antivirus software below:
BitDefender - click here to download
Avira - click here to download
Use the antivirus software to do a full scan of your computer.
Check the comment section for additional information, or share what you know or ask a question about this article, by clicking the 'View or Write Comment' button below.
Note: Some of the information in samples on this website may have been impersonated or spoofed.