Recently at Symantec Security Response, we came across a seemingly innocuous program which was being hosted at a number of different URLs. What flagged the file as unusual was the fact many different customers were submitting the same file for analysis.

The basic behaviour of the program is to run you through a job suitability questionnaire before redirecting you to one of the following URLs:

hxxp://groupinc-upland.biz/registration/1

hxxp://artby-group.biz/registration/1

hxxp://artby-gorup.net/registration/1

hxxp://callisto-ltdco.net/registration/1

hxxp://kresko-group.biz/registration/1

hxxp://kresko-group.net/registration/1

hxxp://targetmarket-groupllc.net /registration/1

hxxp://neoline-llc.net/registration/1

hxxp://neoline-groupco.cc/registration/1

You cannot simply browse to these pages without first downloading and completing the suitability test.

This program generates a unique URL, giving you access to the registration page.

What is unnerving about this application is the level of detailed information they are requesting.

They even ask you for you online bank account details including the URL, your login, and your password for an extra $100.

As a final step, an email is sent to the supplied address whereby you are asked to sign an agreement and upload a scanned copy of your ID or a utility bill.

The contract states the purpose of the job:

“The Contractor undertakes the responsibility to receive payments from the Clients of the Company to his personal bank account, withdraw cash and to effect payments to the Company's partners by Western Union or MoneyGram money transfer system within one (1) day”

It also states the remuneration:

“The Contractor is engaged by the Company on terms of thirty-days (30) probationary period. During the probationary period the Company undertakes to pay to the Contractor the base salary amounting to 2300 USD per month plus 8% commission from each payment processing operation. After the probationary period the Company agrees to revise and raise the base salary to 3000 USD.”

And don’t forget the bonus $100 you can get from providing your online bank account details!

So called Money-Mules keep a cut of the transaction and wire the remainder of the cash to third-party accounts. This activity is illegal and many cases have already ended up in the courts.

http://www.theregister.co.uk/2010/09/30/zeus_money_mules_charged/

http://www.wired.com/beyond_the_beyond/2010/10/the-zeus-money-mules-the-federal-complaints/

Users should also be aware that during this scam all this important information is being sent over HTTP and not HTTPS, so their bank details are being transmitted in plaintext over the wire.

As a general rule of thumb, users shouldn't share their personal information (passwords, bank account information, etc.) with anyone or any site unless the transaction was initiated by the user themselves, intentionally. Even when visiting such pages which require personal information, make certain that the site is using encryption by looking for an 'HTTPS' in the URL, along with a lock appearing in the browser. This indicates the use of SSL.

Symantec detects these survey applications as Fakesurvey.

http://us.norton.com/security_response/writeup.jsp?docid=2011-032307-1016-99&tabid=2