SophosLabs's worldwide network of email-monitoring stations has seen a tidalwave of malicious messages being spammed out with an attachment that redirects users' web browsers to a fake anti-virus attack.
The emails have subject names such as:
- Parking Permit and/or Benefit Card Order Receipt - <random number>
- You're invited to view my photos!
- Appointment Confirmation
- Your Bell e-bill is ready
- Your Vistaprint Order Is Confirmed
- Vistaprint Canadian Tax Invoice (<random number>)
By sending emails that pose as credit card charges and free-to-view holiday snaps from Bermuda, it wouldn't be any surprise at all if some users clicked on the attached files (which go by names such as Benefit Card Order Receipt.html, Print this album.html, Appointment Confirmation.html, e-bill.html, Vistaprint Order Invoice.html, and Tax Invoice.html).
Here's a closer look at two of the current spam messages we're seeing:
Opening the attached HTML file, however, redirects your web browser to a hacked website containing a malicious iFrame (which Sophos detects as Troj/Iframe-FK). This, in turn, loads scripts from other websites that load a fake anti-virus attack that Sophos detects as Mal/FakeAV-EI.
Mal/FakeAV-EI often disguises itself as a bogus version of McAfee VirusScan - regular readers of the blog may remember another attack involving this scareware that I wrote about last month.
Fraser Howard, a principal researcher in SophosLabs, recently made the following YouTube video explaining the problem of fake anti-virus software:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
We also have a white paper which explains the problem of fake anti-virus in greater detail.
So, in this attack, the hackers are using a mixture of human gullibility, poorly protected websites, and the tried-and-trusted trick of scaring users into believing that they have security problems on their PC to con them into downloading more dangerous software or handing over their credit card details.
Sophos is detecting the various HTML files attached to the spam emails as Troj/JSRedir-CH.