14 DAY TRIAL // Web and email security vendor Websense has issued an alert about a new spam campaign producing fake My Opera account activation emails. All links contained in the rogue messages lead to a malicious website.
“Heads up! Malicious My.Opera.com account activation emails are now circulating,” a warning posted on Websense's Twitter feed reads. By the looks of one of the offending messages, it appears that spammers are sending out almost perfect copies of the real My Opera account activation notifications.
The "From" field of these rogue emails is forged, in order to appear as if they originate from a real Opera address. Their subject is “Welcome to My Opera!” and the content includes an activation link, which ends with a "&username=boffin" parameter. It seems that "boffin” is a real account, but there is no indication as to why it is abused in this spam.
Furthermore, legit My Opera account activation emails contain two pargraphs reading: “Your username is: [username]” and “Your profile page is at: http://my.opera.com/[username]”. For some reason in the rogue messages reported by Websense the [username] parts do not match, one paragraph listing “haymixer” and the other “boffin”.
The haymixer account also exists and has been registered in June. The title and subtitle of the blog associated with it is “ecard” pointing to a possible connection with spam. Like the real activation emails, the fake ones also list links to other Opera services. However, clicking on any of them is definately not a good idea as they point to a malicious website.
Copying the email templates used by popular services and replacing the links is an increasingly popular social engineering technique, suggesting that at least to some extent the method is working. Just yesterday we reported that spammers copied a legit e-flyer from ShopNBC and replaced all links in it with malicious ones. Twitter has also been impersonated numerous times in a similar manner.
You can follow the editor on Twitter @lconstantin