Remember the fraud campaign we discovered last summer ?

Well, we've been keeping an eye on this Trojan. Its configuration file has been regularly updated. Today the encrypted activation strings changed again to include some new targets in Italy or Malta (Bank of Valletta, BancadiRoma, BancodeSicilia for example).
But more interestingly, 2 new URL-strings have been added to targets:

(Extract)

...
+*dorcel.com
+*janswebring.com
...

(the "*" in front of the domain names means that all sub-domains are also being monitored as targets).

The pirates seem to look for accounts from the famous French porn producer Marc Dorcel and from the "Adult Movie Fan Community" JansWebring porn websites.

So, are they just bored of stealing money or is there a new “proof-of-concept” fraud-technique behind it?