14 DAY TRIAL // A new spam campaign currently making the rounds produces emails that pose as e-gifts from friends, but in fact lead to an IRC-based trojan.
The emails have spoofed headers to appear as originating from [email protected] and bear a subject of "You have received a gift from one of our members !"
Freeze.com is a website offering desktop customization downloads such as screensavers, wallpapers, icons, sounds, mouse cursors and others.
It might be possible that attackers have modified a legit email template used by the website and replaced the real link with a malicious one.
The emails use a bit social engineering to attract people's interest and convince them to click on the contained link. They read:
"Hello friend ! You have just received a screensaver from someone who really cares about you! This is a part of the message:
'Hi there! It has been a very long time since I haven’t heared anything from you! I hope you enjoy this gift from me that i’ve sent with love … 'I’ve just found out about this service from Sharon, a friend of mine who also told me that…' If you’d like to see the rest of the message click here to receive your 3d live Dolphins."
According to security researchers from Belgian email security provider MX Lab, the included link leads to a gift.pif file hosted on what is most likely a compromised website.
The PIF format is not actually meant to contain executable code, but Windows treats it as such and because of this it has historically been abused to hide malware.
Nevertheless, the method is not common anymore and neither is the malware enclosed wihtin in this particular case, an IRCBot built using a mIRC installation preloaded with malicious scripts.
Users are always advised to exercise extra caution when dealing with links in emails, even when they appear to originate from trusted sources. Having an up-to-date antivirus installed is also a must.