Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Shopping in my sleep? No, just malware.

I received my confirmation email from Athleta so quickly, I didn’t even remember placing the order. But I was intrigued by the possibility of my having ordered a long list of great-sounding swimwear and summer clothes from Athleta without even realizing it. Am I that addicted to e-commerce that I can shop in my sleep? Or was I having a shopaholic blackout? Perhaps it was time for an intervention.

To dig a little deeper into the issue, I visited the Athleta site (NOT by clicking through the link in the email, after all I do work for a security company). How would the Shirrendipity halter tankini listed in the confirmation email look on me? Hmm… XL does seem a little bit too big, but, who knows, maybe their sizes run small… I’m really trying to convince myself there is a tankini on its way to me that I don’t remember ordering.

If you haven’t figured it out by now, this email was NOT sent by Athleta. It was sent by a purveyor of malware, trying to get me to click on one of the hyperlinks within the message. As part of my regular workweek, I see a lot of spam, malware and phishing emails. But this email message looked SO good, so convincing — down to the sporty shirred swim skirt in the order list, that quite frankly, I could have ordered — that even I was fooled for a minute. Even though I had never heard of the store. I even went to far as to type in my email address in the “forgot your password” wizard at, to see if maybe, just maybe, I had set up an account there & ordered something without realizing it, since after all, there are lots of e-commerce partnerships these days.

There is always some detail that is a little “off” on a phishing email, or as in this case, a targeted malware message, and I did notice the sizing, and of course the fact that I didn’t remember ordering from the store. The message was so good, however, that I was even willing to overlook these tiny issues. But for the suspicious among us, another detail is a dead giveaway – the link in the email doesn’t match the link seen when you hover over it with the mouse. Even though “” looks like it could be a legitimate Athleta domain, the visible hyperlink should match the link it’s actually taking me to, so this is another hint that it’s not a real confirmation email. No legitimate business would include text that appears to be a hyperlink and stealthily hide the real hyperlink in the source code.

Once I realized I hadn’t been sleep-shopping, I relaxed and sent the message to my colleagues in the virus and spam labs and asked them: What would have happened if I had clicked on the link? The answer isn’t pretty (nowhere near as pretty as the Venetian Blue All Terrain Skirt I also supposedly ordered).

Clicking on the “order status” or “return policy” URLs in the email message downloads a zip file which includes the executable “invoice_athleta_order—.exe”. If opened, the first thing this malware does is determine my geographical location. Whatever happens after this may depend on the location since the results are sent to a control server. The malware then copies or downloads several other pieces of malware: “google.exe”, “googles.exe”, “googletools.exe” and “SOD.exe.” Note that the names of the files sound legitimate, so even if I notice them on my computer, I probably won’t be suspicious.

“googletools.exe” downloads a configuration file with a list of sites and URLs. Browsing to these sites will trigger another bit of malware, most likely logging my keystrokes or taking screenshots in order to steal my login usernames and passwords. Among the sites that trigger this behavior are:

  • AlertPay
  • Amazon
  • AT&T
  • Bank of America
  • Best Buy
  • Black Hat SEO Forum
  • CHASE Home
  • Citibank
  • Craigslist
  • Facebook
  • Fifth Third Bank
  • Go Daddy
  • Google Checkout
  • Hack Forums
  • Harris Bank
  • IBackup
  • IMVU
  • LastPass
  • Liberty Reserve
  • Lockerz
  • Moneybookers
  • Myspace
  • Netflix
  • Newegg
  • Payment Gateway (
  • PayPal
  • PlayStation
  • PNC Bank
  • RapidShare
  • RoboForm
  • Target
  • TCF Bank
  • TheVault
  • T-Mobile
  • U.S. Cellular
  • Verizon
  • Warez-BB
  • WarriorForum
  • WebMoney
  • Western Union
  • World of Warcraft

In other words, almost every popular bank, e-commerce site, cell phone provider, etc. where I might enter a credit card or banking credentials is fair game for this nasty malware that tried to target me through my unfulfilled wish to own the perfect tankini.

They say a bathing suit is a slim layer of protection against the sun’s harsh rays. In this case I was barely a Lycra thread away from getting a serious malware infection.

Well, looking on the bright side, this malware-laden email got me to visit the real So why didn’t I order anything from Athleta? Maybe I will.

Email text:

Dear Rebecca Herson

Thanks for shopping at Your order number is #15YNB0G. Please print this page or write this number down, for future reference. This order should arrive within 9 business days.

You may check the status and order information of your order by:–G

Size Unit
Qty Total Return
Sporty Shirred Swim Skirt
XL 44.00 1 44.00 Mail only
Shirrendipity Halter Tankini
XL 59.00 1 59.00 Mail only
Sporty Shirred Bottom
Garden Green
XL 42.00 1 42.00 Mail only
Shirrendipity Halter Bikini
Garden Green
DCUP 44.00 1 44.00 Mail only
Doran Dress
XL 69.00 1 69.00 Mail only
Double Dutch Tee
Venetian Blue
XL 54.00 1 54.00 Mail only
All Terrain Skirt
16 59.00 1 59.00 Mail only
Summary of Charges
Order Subtotal: 371.00
Shipping & Handling: Free
Tax: 28.64
Order Total: 399.64
Payment Info

You will receive a shipment notification email message as soon as we send your order. We may also send you additional updates regarding the status of your order. This email is for your records only and cannot be used as a receipt for in-store returns. To receive a full refund, you must bring the invoice included in your shipment to the store.

New: Gap, Old Navy, Banana Republic, and Piperlime return policies have changed. Return merchandise within 45 days of the original online purchase date. To view the entire return policy, CLICK HERE.

Sincerely, Customer Service

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...