Malicious 'Payment request from' email attack strikes inboxes

Filed Under: Malware, Spam

Please be careful. Malicious hackers have spammed out the latest incarnation of a campaign designed to compromise your computer - this time disguising their emails as though they were payment requests from eBay.

The emails have a blank message body, but have a file called form.html attached.

Malicious payment request email

Message characteristics:

Subject: Payment request from
From: "eBay" <eBay@reply1.ebay.com>
Attachment: form.html

Of course it's a sneaky piece of social engineering on the behalf of the hackers. Many people would be tempted to open the attachment to find out what on earth the email is about..

And opening the attachment (which Sophos detects as Troj/JSRedir-BV) redirects your web browser to a recently compromised webpage on a legitimate site infected with Mal/Iframe-Q.

Then, as Fraser described in a blog post about an earlier version of the attack, two things happen.

Firstly, your browser is redirected to a spam-related website (for instance, a Canadian pharmacy store). This may make you believe that the attack is merely designed to advertise medications on behalf of the spammers.

Pharmacy website

Furthermore, however, a malicious iFrame also downloads further malware from other third-party websites. This malware can obviously be changed at anytime, but we have seen versions of the ZBot family of malware be distributed in the attack.

As always, the best defence to protect your inbox is to run up-to-date security software (for instance, companies should be scanning their email for combined spam and malware attacks like this) and always be wary of opening unsolicited attachments.

And don't forget - the emails don't have to pretend to be from eBay to be malicious. Recently we've seen other criminal email campaigns with dangerous html attachments involving Adult Friend Finder, romantic interest & Skype purchases, Facebook porn & Skype payment problems, and Facebook password resets amongst others.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.