Spam offering fake Visa benefits, rewards leads to TeslaCrypt ransomware

Share this…

Spam campaign baits users with Visa Total Rewards emails containing malware that leads to Trojan.Cryptolocker.N infections. Spam related to credit cards is a typical scam observed on a daily basis. Some attempt to fool recipients into giving up their personal information along with their credit card numbers in the form of phishing attacks, while others attempt to lure victims into various online scams. On the other hand, credit card-related spam campaigns involving malware are not as commonly seen. Symantec Security Response has, however, recently observed a spam campaign offering fake Visa rewards and benefits as bait to deliver ransomware to recipients’ computers.

The email in this particular campaign purports to come from Visa Total Rewards and provides details about the benefits of using Visa credit cards. Attached to the email is an archive file which poses as a whitepaper containing more information about the supposed rewards and benefits offered by the program. If the recipient opens the attachment, they will see only an obfuscated JavaScript file (detected as JS.Downloader).

Figure 1. Malicious spam contains a fake whitepaper—an archive file containing JS.Downloader

If the recipient is fooled into opening the JavaScript file, the script downloads a variant of the TeslaCrypt ransomware (detected as Trojan.Cryptolocker.N) from the specified URL and runs it. A few minutes later, a message is displayed stating that all of the user’s files have been encrypted and payment in Bitcoin is required to decrypt the files.

Figure 2. JS.Downloader downloads TeslaCrypt ransomware, which informs victims their files have been encrypted

The ransomware provides more information to victims on a personalized home page and demands a payment of US$500 (or 1.2 bitcoins) within 160 hours of infection in order to unlock the encrypted files. If the transaction is not made within the specified time frame, the price doubles to $1,000. This page provides a contact form that offers assistance in case of payment issues or any other problems the victims may run into. There is also an opportunity to decrypt a single file for no fee to prove that the files can be properly decrypted.

Figure 3. Victims are given 160 hours to pay US$500 (1.2 BTC) to have their files decrypted, after which the demand doubles

The vast majority of the spam is being distributed to English-speaking countries, with the UK (40 percent) and the US (36 percent) most targeted. Other regions around the globe are affected as well, as seen in Figure 4.

Figure 4. Majority of the spam is being distributed to the UK and the US

The spam campaign began as early as February 17 and is still ongoing. Although Symantec telemetry indicates the peak of the campaign may have already passed (see Figure 5), it would not be surprising if the campaign starts picking up again since attackers behind TeslaCrypt are known to be very active. We may also come across spam runs using similar baits, so users need to be wary when receiving these types of messages in their mailboxes. Users must be especially vigilant if the email has an attachment with a JavaScript file inside, which is highly unusual.

Figure 5. Traffic observed on Symantec Email

A full protection stack helps to defend against these attacks, including Symantec Email which can block email-borne threats, Symantec Web blocking web-based threats, and Symantec Endpoint Security.

Symantec and Norton products protect against the threats involved in this campaign with the following detections:


  • JS.Downloader
  • Trojan.Cryptolocker.N

Tips on protecting yourself from ransomware

  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.