The folks at Symantec Security Response have discovered a new Trojan horse program that tries to steal credit card numbers by masquerading as a Microsoft activation program.
Symantec researcher Takashi Katsuki wrote in the Symantec Security Response blog that Trojan.Kardphisher isn’t the most sophisticated malware he’s ever seen. But the effort the author took to make it appear legitimate is certainly noteworthy, he said.
On the machines it infects, the Trojan launches an official-looking screen claiming that the user’s copy of Windows was activated by someone else. “To help reduce software piracy, please reactivate your copy of Windows now,” the screen reads. “We will ask you for your billing details, but your credit card will NOT be charged.”
Katsuki said the PC shuts down when the user selects “No.” But if they select “Yes” they get a second screen asking them to offer up their name and credit card number, which is then sent to the thief’s server.
“This Trojan teaches us all a good lesson,” Katsuki wrote. “Trust no one. Sad though it may be, the days of leaving your front door unlocked are over.”
The good news for those using Windows Vista or XP is that this only seems to affect desktops running Windows Windows 95, 98, 2000, and NT. Server 2003 is also affected, however.