14 DAY TRIAL // A number of fake newsletter emails purporting to originate from Resource Nation have been seen doing the rounds. They claim to offer 401K retirement savings account information, but in reality they hide a malicious scheme that’s designed to spread the infamous SpyEye Trojan.
AppRiver experts discovered that the cybercriminals behind the campaign quickly shut it down, most likely after realizing that the notification’s subject line didn’t match the actual content. However, this may only be a temporary glitch, so we decided to inform our readers of this threat in case it re-emerges.
The message itself is well designed, displaying titles such as “Considerations When Structuring Your Company's 401k Program”, “"Is Your Company 401k Saavy”, and “Guide to Learning 401k Terms.”
While they may look legitimate enough, all the links contained in the shady newsletter point to compromised websites that host a redirection JavaScript which points to the 198.136.53.72 IP address.
On this domain, a drive-by download is set up to push the SpyEye Trojan by leveraging a Java vulnerability.
In the next phase, the victim is redirected to msn.com, this probably being a method implemented to avoid raising any suspicion on the user’s side.
As always, internauts are advised to be on the lookout for such notifications. The best way to check their legitimacy is to hover the mouse cursor over the links and if they point to anything else than an official website, delete the email immediately.
If you realize that you’ve already fallen for the scam and you believe that your Java installation is not up-to-date, make sure to run a full system scan with an antivirus software to ensure that your device is not infected with SpyEye.
On the other hand, webmasters are also recommended to regularly check their websites for any signs of misuse. You can ease this process by using a tool like the Hash Code Verifier we presented a few weeks ago.