Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain an account lockout notification from LogMeIn.com for the recipient. The text in the e-mail message attempts to convince the recipient to open the link to print and complete supporting documents. However, the link redirects to a .zip file that contains a malicious .pif file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID5483) may contain the following files:
logmein_unlock_form.zip
logmein_unlock_form.pif
The logmein_unlock_form.pif file in the logmein_unlock_form.zip archive has a file size of 259,584 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2220822C4FF50AE7102E105DBA3C793D
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: LogMeIn Account Notification - Account locked
Message Body:
Dear LogMeIn User,
Your LogMeIn.com account has been locked due to several unsuccessful login attempts.
Event: Account locked
Source: Website
At: 3/6/2013 4:46 AM
From: 42.12.172.6
To:unlock your account, you will need to complete the following unlock form :
https://secure.logmein.com/download.asp?action=unlock&form_id=6482653
After the form has been completed, forward a scanned copy to security@logmein.com.
(Please do not reply to this email, as it's sent from an address that's not monitored.)
If you need additional help, visit LogMeIn Support at:
http://help.logmein.com/SelfServiceTicketSupportSales?support=1&lang=en
Regards,
LogMeIn.com Support
Source: Cisco