More email template abuse

Aug 6, 2010 07:46 GMT  ·  By

Security researchers warn about new spam campaigns that abuse the name of the YouSendIt online service to trick users into running malware or visiting infected websites. Some of the rogue emails contain links to websites that carry malicious payloads, while others have a new variant of the Bredolab trojan attached.

The spammers behind the first campaign are putting out fake YouSendIt pending download notification emails, which look exactly as the real deal. However, all URLs within, like those for obtaining the allegedly received file, have been replaced with ones pointing to malicious websites.

Clicking on any of the links takes users to a Web page executing a drive-by-download attack to install a trojan on their computers. Victims are then redirected to Canadian pharmacy spam website. According to security researchers from MX Lab, a Belgian email security vendor, who intercepted the emails, this redirect strategy has the purpose of distracting the user from the actual malware infection.

The second spam campaign leveraging the popularity of the YouSendIt service, produces emails that instruct recipients to run a malicious attachment. "[Name] has sent you the following via YouSendIt. File attached to this letter," the rogue messages, which carry YouSendIt's regular signature, read.

"The message has the attachment YouSendIt_reader.zip. Once extracted, the 20 kB large file YouSendIt_reader.exe is available. The trojan is known as Gen:Variant.Bredo.2 (BitDefender, F-Secure, GData), TrojanDownloader:Win32/Waledac.C (Microsoft)," the MX Lab researchers, explain. The Bredolab trojan regularly serves as a distribution platform for other malware and according to a recent report from Sophos, it is the most common email-borne threat.

Email template abuse seems to be a growing trend amongst spammers. During the past month we reported about multiple spam campaigns masquerading as official notifications from popular services like Gmail, ImageShack, My Opera, ShopNBC or Twitter. As always, users should be extremely wary of all links and files received via email, even when they appear to originate from trusted parties.

You can follow the editor on Twitter @lconstantin