Shopping in my sleep? No, just malware.

I received my confirmation email from Athleta so quickly, I didn’t even remember placing the order. But I was intrigued by the possibility of my having ordered a long list of great-sounding swimwear and summer clothes from Athleta without even realizing it. Am I that addicted to e-commerce that I can shop in my sleep? Or was I having a shopaholic blackout? Perhaps it was time for an intervention.  

To dig a little deeper into the issue, I visited the Athleta site (NOT by clicking through the link in the email, after all I do work for a security company). How would the Shirrendipity halter tankini listed in the confirmation email look on me? Hmm… XL does seem a little bit too big, but, who knows, maybe their sizes run small… I’m really trying to convince myself there is a tankini on its way to me that I don’t remember ordering.

If you haven’t figured it out by now, this email was NOT sent by Athleta. It was sent by a purveyor of malware, trying to get me to click on one of the hyperlinks within the message. As part of my regular workweek, I see a lot of spam, malware and phishing emails. But this email message looked SO good, so convincing — down to the sporty shirred swim skirt in the order list, that quite frankly, I could have ordered — that even I was fooled for a minute. Even though I had never heard of the store. I even went to far as to type in my email address in the “forgot your password” wizard at Athleta.com, to see if maybe, just maybe, I had set up an account there & ordered something without realizing it, since after all, there are lots of e-commerce partnerships these days.

There is always some detail that is a little “off” on a phishing email, or as in this case, a targeted malware message, and I did notice the sizing, and of course the fact that I didn’t remember ordering from the store. The message was so good, however, that I was even willing to overlook these tiny issues. But for the suspicious among us, another detail is a dead giveaway – the link in the email doesn’t match the link seen when you hover over it with the mouse. Even though “athleta-billing.com” looks like it could be a legitimate Athleta domain, the visible hyperlink should match the link it’s actually taking me to, so this is another hint that it’s not a real confirmation email. No legitimate business would include text that appears to be a hyperlink and stealthily hide the real hyperlink in the source code.

Once I realized I hadn’t been sleep-shopping, I relaxed and sent the message to my colleagues in the virus and spam labs and asked them: What would have happened if I had clicked on the link? The answer isn’t pretty (nowhere near as pretty as the Venetian Blue All Terrain Skirt I also supposedly ordered).

Clicking on the “order status” or “return policy” URLs in the email message downloads a zip file which includes the executable “invoice_athleta_order—.exe”. If opened, the first thing this malware does is determine my geographical location. Whatever happens after this may depend on the location since the results are sent to a control server. The malware then copies or downloads several other pieces of malware: “google.exe”, “googles.exe”, “googletools.exe” and “SOD.exe.” Note that the names of the files sound legitimate, so even if I notice them on my computer, I probably won’t be suspicious.

“googletools.exe” downloads a configuration file with a list of sites and URLs. Browsing to these sites will trigger another bit of malware, most likely logging my keystrokes or taking screenshots in order to steal my login usernames and passwords. Among the sites that trigger this behavior are:

  • AlertPay
  • Amazon
  • AT&T
  • Bank of America
  • Best Buy
  • Black Hat SEO Forum
  • CHASE Home
  • Citibank
  • Craigslist
  • Facebook
  • Fifth Third Bank
  • Go Daddy
  • Google Checkout
  • Hack Forums
  • Harris Bank
  • IBackup
  • IMVU
  • LastPass
  • Liberty Reserve
  • Lockerz
  • Moneybookers
  • Myspace
  • Netflix
  • Newegg
  • Payment Gateway (authorize.net)
  • PayPal
  • PlayStation
  • PNC Bank
  • RapidShare
  • RoboForm
  • Target
  • TCF Bank
  • TheVault
  • T-Mobile
  • U.S. Cellular
  • Verizon
  • Walmart.com
  • Warez-BB
  • WarriorForum
  • WebMoney
  • Western Union
  • World of Warcraft

In other words, almost every popular bank, e-commerce site, cell phone provider, etc. where I might enter a credit card or banking credentials is fair game for this nasty malware that tried to target me through my unfulfilled wish to own the perfect tankini.

They say a bathing suit is a slim layer of protection against the sun’s harsh rays. In this case I was barely a Lycra thread away from getting a serious malware infection.

Well, looking on the bright side, this malware-laden email got me to visit the real Athleta.com. So why didn’t I order anything from Athleta? Maybe I will.

Email text:

Dear Rebecca Herson

Thanks for shopping at athleta.com. Your order number is #15YNB0G. Please print this page or write this number down, for future reference. This order should arrive within 9 business days.

You may check the status and order information of your order by:

http://www.athleta.com/myaccount/order?=15YN–G

Item
Description
SizeUnit
Price
QtyTotalReturn
Type
Sporty Shirred Swim Skirt
Black
XL44.00144.00Mail only
Shirrendipity Halter Tankini
White
XL59.00159.00Mail only
Sporty Shirred Bottom
Garden Green
XL42.00142.00Mail only
Shirrendipity Halter Bikini
Garden Green
DCUP44.00144.00Mail only
Doran Dress
Indigo
XL69.00169.00Mail only
Double Dutch Tee
Venetian Blue
XL54.00154.00Mail only
All Terrain Skirt
Cargo
1659.00159.00Mail only
Summary of Charges
Order Subtotal:371.00
Shipping & Handling:Free
Tax:28.64
Order Total:399.64
Payment Info
VISA:

You will receive a shipment notification email message as soon as we send your order. We may also send you additional updates regarding the status of your order. This email is for your records only and cannot be used as a receipt for in-store returns. To receive a full refund, you must bring the invoice included in your shipment to the store.

New: Gap, Old Navy, Banana Republic, and Piperlime return policies have changed. Return merchandise within 45 days of the original online purchase date. To view the entire return policy, CLICK HERE.

Sincerely,

athleta.com Customer Service