The latest phishing scam to hit the headlines comes under the guide of a Microsoft email, purporting to come from the Microsoft Volume Licensing Service Center (VLSC). The email contains content asking the user to click a link to download VLSC registration details and is very similar to a genuine email that was sent out by the real VLSC previously.
When a user clicks on the fake VLSC link the next page to open up is the VLSC registration page so it appears on the surface as if everything is genuine. However, at the same time as the registration page opens up a zip file is downloaded to the compromised computer and this is coming from somewhere completely different. Downloading the zip file introduces a Windows executable file with an SCR extension which, when opened, will introduce Chanitor into the victim computer. Chanitor is capable of installing a Trojan virus that will steal and transmit passwords. Unlike some other similar files, Chanitor can protect itself from discovery too – it is able to work out whether it is running in a sandbox and, if so, it simply copies itself to a file so as to be able to avoid sandbox analysis.
The phishing scam has so far been targeted at corporate IT systems, which makes it important to educate those who might receive an email and be tempted to click on it with so much business data at stake. One of the easiest ways to prevent the link from being clicked upon is to urge caution and ask users to carry out a quick test of the genuineness of the content. While the link in the phising email appears to be from Microsoft all it takes is to quickly hover the mouse over the link and it will reveal the real source of the email – if it’s not from Microsoft then the email should be immediately deleted.