A few weeks ago I commented on a very similar case, the attackers sent fake emails pretending to be CinePlanet, a chain of Per cinemas, to infect users with malicious downloads.
In the last days a variant of the same attack and still activeso be careful. This time they make victims believe that they they won an LCD for them to fill out a form to download:
The form is actually a Trojan form_LCD.exe (16/42), if you pay attention to the following screenshot you can see that the link destination is a .info domain. The attackers recorded the address cineplanet .info (Do Not Enter) to deceive their victims (the actual address iswww.cineplanet.com.pe):
Note: do not enter the .info domain because you could infect your computer.
Once the victims click, the .exe Trojan that pretends to be an LCD form is downloaded:
As we see, it is a quite elaborate attack although there are some details to suspect such as misspellings and the general way of addressing the winners Dear: Cineplanet user… If you really had won an award at least they would know your name.
CinePlanet for its part has published a notice on its Facebook page and Twitter to alert all customers. For a researcher or passionate about security, it can be very interesting to read user comments, there are all kinds, some detected deception thanks to common sense, others did not.
For example, we see the following:
Since he always receives promotional messages at first he thought it was something real, he tried to open the form and the download seemed suspicious (common sense) so he visited the company's Facebook page to get more information. That simple action (contacting the company, looking for information on their page) prevented your computer from getting infected.
Another thing, which perhaps I should not mention, is that everyone who comments on the Facebook page could be victims of future attacks why? Because their full names appear which can be used in personalized emails, getting their emails will not be complicated considering that on Facebook we are all friends and we add anyone who has a nice photo.
Thanks Paul for the delivery!
See also: Phishing from Cinemark Peru seeks to infect with false trivia.