A malicious .htm file redirects users to malware-serving websites

Oct 27, 2012 08:53 GMT  ·  By

Apparently, the best way to lure users to a BlackHole exploit kit-infested website is by sending them a confusing email in which they’re urged to click on a link or open an attachment.

According to Sophos experts, one of the latest plots is fairly simple. The cybercriminals send out fake LinkedIn emails entitled “Your photos” in an attempt to trick internauts into opening an attached .htm file.

The notification reads: “Hi, I have attached your photos to the mail (Open with Internet Explorer).”

Once the file, called “Image_DIG[random number].htm” is opened, a “please wait a moment” message is displayed.

In the meantime, in the background, the victim is redirected to a BlackHole exploit website that’s designed to serve malware.

In case you have a Sophos antivirus installed on your computer, the malicious .htm file is detected as Mal/JSRedir-M.

As always, I advise users to be careful when presented with such emails. Remember that LinkedIn never attaches files to notifications.