14 DAY TRIAL // A new malware distribution campaign is abusing the default template of emails used to invite people to Gmail. The links in the rogue messages point to a website riddled with exploits.
"We’re seeing quite the uptick in spoofed 'Your Friend has invited you to open a Google mail account' emails lately," security researchers from OnyMyEmail, a Michigan-based anti-spam solutions vendor, warn. The fake messages look almost identical to the real Gmail invitations put out by Google's system.
The researchers believe that the names and addresses used in the Form field of the spam emails are copied from the address book of users who's computers have already been compromised. In addition, the messages are probably sent from the same infected machines, which are now part of a botnet.
All hyperlinks included in the rogue emails, like the ones for "Sign up" or "Learn more" lead to a malicious website. The landing page loads an Web exploit toolkit which targets vulnerabilities in outdated versions of popular software like Adobe Reader, Flash Player or Java.
This kind of attacks are known as drive-by-downloads, because their purpose is to download and execute malicious files without the victim's permission. The whole process is completely transparent to users, which makes these malware infections very hard to detect without a capable antivirus program running on the computer.
There seems to be an increasing trend of abusing email templates used by legit services, which suggests that the technique is successful; at least to extent that would compell other spammers to adopt it. In the past two months we've seen this method used to direct users to spam websites, Web exploits or pages employing social engineering tricks.
Some of the more recent examples we reported include fake ImageShack account registration emails, fake ShopNBC fliers, fake My Opera activation messages, and fake Twitter notifications. The cyber crooks even copied the format of automatic messages put out by Xerox WorkCentre Pro machines and used it to send malicious attachments.
You can follow the editor on Twitter @lconstantin
