I don’t know what it is about this one that sets the Spidey Sense tingling.
Maybe it’s the fact it promises to make things all too easy – Vader reference there for anyone keeping score – for the lazy crook.
Maybe it could even be the fact that the filename has “666” in the title, which is generally a reasonable indicator of fiery flames and pointy pitchforks. Who knows.
What I do know, is that this thing is an Autowhaler and promises an easy haul of plundered bounty on the high seas. For those of you who have no idea what I’m talking about – it’s okay, you don’t have to spare my feelings – I’ll now explain.
Autowhalers: What they are, and how they came to be
Autowhalers come in two flavours (no, not vanilla and chocolate) – websites, and programs. You can see an example of a website Autowhaler here. Imagine you’re a Phisher. You have an awesome collection of stolen logins and you can’t wait to crank out some viagra spam.
Now imagine I’m the laziest phisher who has ever lived.
I’d like a collection just like yours, but there’s no way I’m going to put any effort into obtaining such a stash because I have people from overseas to scream at on XBox Live. No, I’ll just fire up an Autowhaler which checks known Phish URLs for common places where a productive Phisher would keep their logins (/passwords(dot)html or /logins(dot)html, for example).
Then I steal all your things, and do whatever I want with them – which probably doesn’t include leaving them on free webhosting for all and sundry to plunder.
At this point, the “666 Auto Whaler” comes back into play and our would be Phishing King thinks, well, it looks legitimate and it even comes with a handy .txt file pointing out common places Phishers would attempt to hide their wares. What’s the worst that could happen?
Well, a 29/43 VirusTotal report for starters. But wait – that’s not the worst. That’s not even close to being the worst. No, the worst is right over here in your Temp Folder:
Hello there, Cryptedfile.exe – if that is your real name.
Which it isn’t. Step up to the plate, Trojan-PWS.Win32.Fignotok.A (v) – a known password stealer that generally likes to dabble in everything from gaming account logins to Instant Messaging and more besides.
36/43 VirusTotal score, Ladies and Gentlemen.
Now, there may well be a legitimate version of this tool floating around out there. It may even look like this:
Password stealer creators targeting Whalers going after Phishers may sound like a humorously confusing mess of bad people hitting each other in the face with bricks – and don’t think I haven’t thought about it – but the gag quickly evaporates once Little Jimmy loses five sets of credit card details to the void.