Spam Emails Masquerade as ICANN Notifications

Lead to drive-by download attack

A spam campaign currently in circulation attempts to scare users into clicking on malicious links by claiming that their domain name has been suspended by ICANN. Victims are exploited and eventually end up on a Canadian Pharmacy site.

ICANN's 38th Meeting took place last week in Brussels and has attracted a lot of media attention. The organization took several big decisions like allowing the application for the .XXX domain TLD to go forward and approving a number of internationalized domain names for Chinese script.

"Apparently the malware authors behind this week's campaigns found this event big enough, or interesting enough to want to pose as ICANN themselves in an attempt to infect computers with their malicious code," spam researchers from email and Web security vendor AppRiver, warn. According to them, this latest campaign is run by the same spam gang, which previously lured victims with fake and receipts.

The new rogue emails have their "From" field spoofed to appear as originating from "ICANN Services" and come with a subject of "ICANN attention letter." The message inside reads "Your Domain Has Been Suspended" and and also contains instructions to click on a link for more information. Several ICANN logos and images were embedded in the body as well, in order to increase the scam's credibility.

Clicking on the included link leads users to a page that loads malicious code. The purpose of these scripts is to exploit vulnerable software on their computer and infect them with a backdoor. In addition, after the drive-by download part is complete the victims are dropped on a classic Canadian Pharmacy Site that advertises unregulated meds.

Users should remember to always keep their software up to date, especially applications like their browser, Java Runtime Environment, Flash Player or Adobe Reader, which are frequently targeted. Having a capable antivirus program installed on the computer while surfing the Web is also a must.

You can follow the editor on Twitter @lconstantin

Hot right now  ·  Latest news