It looks like e-crooks’ interest in Yahoo!® is getting bigger and bigger these days. According to what my colleagues from the labs whispered to me a couple of days ago, two brand new breeds of credentials stealers are targeting the users of the Yahoo!® portal.
One of them – Trojan.PWS.Agent.SLW – penetrates unprotected systems via altered applications that unsuspected users download from warez sites and execute on their computers. The BitDefender labs discovered this Trojan in a customized package, bundled with CurseClient, a free add-on manager that allows users to browse, install, and update addons for World of Wordcraft™, Warhammer Online©/™ and ©Runes of Magic.
Cybercriminals appended one dodgy executable – ar96.exe – to the clean kit of the add-on manager. After the manager installation completes, the aforementioned executable is launched, creating a plain-vanilla text file in the Temp directory and stealing the credentials used on Yahoo!® and CurseClient.
The other piece of malware trying to steal Yahoo!® usernames and passwords is Trojan.Agent.AQOU, which injects iFrames in HTML pages and uses a DLL pertaining to WinPcap to transmit the pilfered data.
Safe surfing everybody!
This article is based on the technical information provided courtesy of Dumitru-Bogdan Prelipcean and Alexandru Maximciuc, BitDefender Online Threats Researchers.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.