14 DAY TRIAL // A new wave of spam emails masquerading as resume submissions instruct recipients to open attached HTML files, which redirects them to scareware pushing websites.
The fake emails come with a subject of "Resume" and their body contains short messages like "Attached, please find" or "please find attached my cv."
The name of the rogue attachment can vary. Messaging security vendor AppRiver reports about one such email carrying a file called CV.html, while email security provider MX Lab intercepted a different one distributing Resume.html.
These HTML documents are simple redirect scripts, but in order to avoid basic spam filters they feature obfuscated JavaScript.
The website they redirect to displays a "PLEASE WAITING 4 SECOND..." message and loads rogue code from an external address in a hidden IFrame.
All this has the purpose of initiating a classic fake antivirus scan animation, that falsely claims the visitor's computer is infected with malware and instructs them to download an .exe file.
This executable is actually an installer for a scareware application, which poses as a legit antivirus product and bombards the user with fake malware-related warnings and alerts until they agree to pay for a useless license.
Unfortunately people who fall victim to such scams not only loose a significant sum of money, but also compromise their credit cards in the process.
As of earlier today, 19 of the 42 antivirus engines listed on VirusTotal detect the scareware file used in this attack as malicious.
The technique of attaching HTML redirectors to spam emails seems to have taken off recently, as we've reported about multiple campaigns using it. However, all of them were associated with Zbot distribution efforts.
This is the first we've seen the method used in conjunction with scareware schemes in recent time, suggesting that other spammers are also picking it up.