14 DAY TRIAL // A new wave of spam emails carrying HTML attachments that redirect to fake AV sites has been hitting mailboxes hard during the past two days.
The subjects of the rogue emails, as well as the names of the attached HTML documents are changing rapidly.
"Credit card", "Randolph Plans", "Apartment for rent", "Cops kill active shooter at John Hopkins Hospital" or "Church of Body Modification" are just some of them.
These names suggest the spammers might be using a crawler to grab titles from news websites (including advertisements).
Here are some other subjects, which enforce this idea: "NFL Picks Week 2", "Hospital violence on the rise, agency warns" and "'America's Got Talent' Judges Were They Shocked By."
According to Email security provider AppRiver, these emails first appeared last month, but during the past several days the campaign has grown increasingly aggressive.
Apparently, things have really escalated during the last 48 hours. "We have probably seen 15 - 20 different subjects accompanying these HTMLs today alone," the AppRiver researchers, write.
Meanwhile, experts from Sophos, who also investigated the spam campaign, warn that when opened the HTML attachments redirect users to scareware websites.
There are multiple redirects involved, during which rogue scripts hosted on different addresses are called via IFrames.
Eventually users end up on page displaying a fake antivirus scan, which warns them that malware was found on their computer.
They are encouraged to download and install a rogue program that further bombards them with security alerts about fictitious infections.
The ultimate goal of these schemes is to scare users into paying a license fee for an otherwise useless application.
"Unfortunately, the pages I have seen referenced by the iframe have been unavailable thus far, but I would expect the usual bunch of exploit scripts to be sitting there," notes Fraser Howard, a principal virus researcher at SophosLabs UK.