iTunes Store Spam Campaign

Right after LinkedIn Spam Campaign, we saw a brand new Spam Campaign impersonating iTunes Store

The e-mail appears to arrive from on behalf of iTunes Store and is an exact copy of the official iTunes Store Receipt e-mail.

From the email header,

From: iTunes Store
Subject: Your receipt #155562898256
Date: October 1, 2010 11:01:10 PM GMT+08:00
To: YourName
Delivered-To: your@email.address.com
Received: by 10.216.237.150 with SMTP id y22cs208673weq; Fri, 1 Oct 2010 07:04:49 -0700 (PDT)
Received: by 10.142.203.16 with SMTP id a16mr4707302wfg.213.1285941888137; Fri, 01 Oct 2010 07:04:48 -0700 (PDT)
Received: from email.address.com ([0.0.0.0]) by mx.google.com with ESMTP id 13si2771198wfg.81.2010.10.01.07.04.46; Fri, 01 Oct 2010 07:04:48 -0700 (PDT)
Received: from KVSCHALD (unknown [180.215.161.77]) by email.address.com (AntiSpam Platform) with ESMTP id 58C5ED8A2DC43D37 for ; Fri, 1 Oct 2010 22:04:25 +0800 (MYT)
Received: from badger1402.apple.com (badger1402.apple.com [17.254.6.185]) by mail.romanmfg.com with SMTP id A993453C8F8 for ; Fri, 1 Oct 2010 07:01:10 -0800

The whole purpose of the email is not to show what you have purchase from iTune Store, is to let you to click “Report a Problem” and lead you to a fake Adobe Flash installer.

After clicking the URL, we will be able to see,

The exe file is actually connecting to some .ru web site to download some other files.

##########.ru/bin/koethood.bin
www.#####.com/webhp
##########.ru/9xq/_gate.php
##########.ru/9xq/_gate.php
##########.ru/9xq/_gate.php

This is the malware report.