Malicious 'Payment request from' email attack strikes inboxes

by Graham Cluley on July 13, 2010 | Leave a comment

Filed Under: Malware, Spam

Please be careful. Malicious hackers have spammed out the latest incarnation of a campaign designed to compromise your computer - this time disguising their emails as though they were payment requests from eBay.

The emails have a blank message body, but have a file called form.html attached.

Malicious payment request email

Message characteristics:

Subject: Payment request from
From: "eBay" <eBay@reply1.ebay.com>
Attachment: form.html

Of course it's a sneaky piece of social engineering on the behalf of the hackers. Many people would be tempted to open the attachment to find out what on earth the email is about..

And opening the attachment (which Sophos detects as Troj/JSRedir-BV) redirects your web browser to a recently compromised webpage on a legitimate site infected with Mal/Iframe-Q.

Then, as Fraser described in a blog post about an earlier version of the attack, two things happen.

Firstly, your browser is redirected to a spam-related website (for instance, a Canadian pharmacy store). This may make you believe that the attack is merely designed to advertise medications on behalf of the spammers.

Pharmacy website

Furthermore, however, a malicious iFrame also downloads further malware from other third-party websites. This malware can obviously be changed at anytime, but we have seen versions of the ZBot family of malware be distributed in the attack.

As always, the best defence to protect your inbox is to run up-to-date security software (for instance, companies should be scanning their email for combined spam and malware attacks like this) and always be wary of opening unsolicited attachments.

And don't forget - the emails don't have to pretend to be from eBay to be malicious. Recently we've seen other criminal email campaigns with dangerous html attachments involving Adult Friend Finder, romantic interest & Skype purchases, Facebook porn & Skype payment problems, and Facebook password resets amongst others.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.