Visa Rewards Spam Email Campaign Spreads TeslaCrypt Ransomware

Lately, a new spam campaign has been going around, which disturbs PC users. The campaign is disguised as an email from the credit card company Visa, and it is talking about its rewards program. Unfortunately, the email is fake and the the only rewards PC users can get out of it, is a ransomware virus.

In fact, credit card related spam email campaigns have been going around for a long time already, however, they don’t usually involve malware. The new malware spam email attack poses as Visa informing customers about rewards and benefits when using its credit cards. The spam email contains a whitepaper that purportedly has additional information on the rewards program, though it is actually a JavaScript file posing as a document.

Security experts have identified this file as JS.Downloader. This is a Trojan virus which downloads malicious files from websites (in the aforementioned case it’s the TeslaCrypt ransomware) and executes them. As soon as the file is executed, the user’s computer and files get locked and held for ransom.

More information on how the ransomware demands payment is provided bellow:

The ransomware provides more information to victims on a personalized home page and demands a payment of US$500 (or 1.2 bitcoins) within 160 hours of infection in order to unlock the encrypted files. If the transaction is not made within the specified time frame, the price doubles to $1,000. This page provides a contact form that offers assistance in case of payment issues or any other problems the victims may run into. There is also an opportunity to decrypt a single file for no fee to prove that the files can be properly decrypted.”

During the time when the campaign is mostly targeting US and UK email users, it has been detected in Australia and other English-speaking regions.

Security researchers advise PC users to be very careful with for emails with JavaScript attachments.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.