Fairly typical social engineering is used in the email messages to entice the user into opening the attachment.
So, why is there a 4 second delay before this redirect? If you look at the source for the 'please wait' page you can find the answer; in addition to the META redirect, the page contains an
iframe to some other remote site.
If you think this is starting to look familiar, you are quite right. Richard blogged about something similar earlier in the year. Back then, the iframe was used to load malware, and the META redirect used to take the user to a spam site. In the current attacks, the META redirect is now taking the victim to a fake AV site, where they are subject to the usual fake system scan.
Unfortunately, the pages I have seen referenced by the
iframe have been unavailable thus far, but I would expect the usual bunch of exploit scripts to be sitting there.
This attack provides a good example for describing what we mean when talking about layered protection. So, how exactly are Sophos customers protected from this attack:
- The spam messages are being pro-actively blocked by Sophos anti-spam products
- Detection for the spammed out redirects has been updated, as JS/WndRed-B
- The 'please wait' redirection page is pro-actively blocked as Troj/Iframe-FK
- The scripts used on the fake AV site are pro-actively blocked as Mal/FakeAvJs-A
- The fake AV payload itself is pro-actively detected as Mal/FakeAV-EI
Additionally, the URL filtering that is available in the web appliance and the 9.5 endpoint products pro-actively blocks the fake AV sites and sites referenced in the
iframes. This means that even before today's update to the JS/WndRed-B detection, Sophos customers were already protected from this attack, in several ways. Another good reason to upgrade to the latest 9.5 product version!