While investigating the Waledac malware, UAB malware analysts Brian Tanner and Thom Savage discovered a new scam targeting those who may be feeling the economic pinch.
Over Valentine's Day weekend, the UAB Spam Data Mine had revealed dozens of websites spreading a fake Valentine's Day ecard as a way of tricking users to visit websites which would infect their computer with the Waledac virus.
When revisiting the same domains, Tanner and Savage, who study in the UAB Computer Forensics program, found that they now contained a Coupon website instead of a Valentine's Day e-Card.
Based on the new evidence, the students logged in to the UAB Spam Data Mine looking for new coupon scams, and quickly identified emails, with URLs such as:
The website includes a geo-location code, so that the page seems to offer coupons localized for where your computer is located. In our case, the pages offered coupons for "Birmingham, United States" on a page that looked like this:
A quick Google search found that "Couponizer.com" is a real company, based in Cummings, Georgia, run by Amy Bergin. (We've left her a voicemail to offer our assistance). Her website looks like this:
Some of the many domain names used in the current coupon scam malware are:
The malware name changes with nearly every visit, however we have seen it named:
Some of the other email subjects we received were:
All sales on one site
Useful information, Look at it!
You'll thank me
You can find such coupons and sales only here! Up to 90% off!
You will be appreciated
A good way to save money is to use these coupons
Like the Valentine's Day e-card malware last week, this malware is HUGE. More than 438 KB - or more than 10 times larger than much of the malware we see.
The current version gives this report from VirusTotal:
9 of 39 anti-virus products detecting. Notably neither AVG, McAfee, Symantec, or TrendMicro know that this is a virus at this time.