Malicious 'Payment request from' email attack strikes inboxes

by Graham Cluley on July 13, 2010 | Leave a comment

Filed Under: Malware, Spam

Please be careful. Malicious hackers have spammed out the latest incarnation of a campaign designed to compromise your computer - this time disguising their emails as though they were payment requests from eBay.

The emails have a blank message body, but have a file called form.html attached.

Malicious payment request email

Message characteristics:

Subject: Payment request from
From: "eBay" <eBay@reply1.ebay.com>
Attachment: form.html

Of course it's a sneaky piece of social engineering on the behalf of the hackers. Many people would be tempted to open the attachment to find out what on earth the email is about..

And opening the attachment (which Sophos detects as Troj/JSRedir-BV) redirects your web browser to a recently compromised webpage on a legitimate site infected with Mal/Iframe-Q.

Then, as Fraser described in a blog post about an earlier version of the attack, two things happen.

Firstly, your browser is redirected to a spam-related website (for instance, a Canadian pharmacy store). This may make you believe that the attack is merely designed to advertise medications on behalf of the spammers.

Pharmacy website

Furthermore, however, a malicious iFrame also downloads further malware from other third-party websites. This malware can obviously be changed at anytime, but we have seen versions of the ZBot family of malware be distributed in the attack.

As always, the best defence to protect your inbox is to run up-to-date security software (for instance, companies should be scanning their email for combined spam and malware attacks like this) and always be wary of opening unsolicited attachments.

And don't forget - the emails don't have to pretend to be from eBay to be malicious. Recently we've seen other criminal email campaigns with dangerous html attachments involving Adult Friend Finder, romantic interest & Skype purchases, Facebook porn & Skype payment problems, and Facebook password resets amongst others.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Graham Cluley has worked in the computer security industry for more than 20 years, developing anti-virus software and doing quite a lot of talking about internet threats. He's won awards for his blogging, but is proudest of the text adventure games he wrote when he was still wearing short trousers. You can learn more about those (the games, not the trousers) at grahamcluley.com. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.