Malicious PDF attack spammed out from compromised VioVet email system

Filed Under: Adobe, Malware, PDF, Spam, Vulnerability

ViovetIf you're a customer of VioVet, the UK pet supplies and medications website, then be very careful opening your email this morning.

Customers are reporting that they have received an email purporting to contain a £50 gift certificate from the company - but the files linked to by the email actually contain malware.

VioVet email

One VioVet customer who received the dangerous email was Naked Security reader Rob Sanders, who told us about his experience:

I received an email to my email address at 12:39am GMT. It was sent to an email address I use solely for Viovet purchases and purported to contain a £50 gift certificate for use on Viovet.co.uk. It was sent from support[at]viovet.co.uk by osCommerce, according to the headers and the IPs appear to check out, so it seems legitimate.

It contains 4 links to a RAR file hosted on 3 file lockers and 1 IP address. The file contains a single PDF which appears to be empty, at least when uploaded to Google Docs. I assume this is an exploit of some sort, so I haven't opened it locally.

Judging by the email and the broken English it's written in, someone seems to have hacked the osCommerce installation on the Viovet website. Their website is also showing a bright red message reading: "We are experiencing intermittent problems with processing payments at the moment, so please do try but if it fails then you should find it works again shortly. Once we are happy that the payment provider has resolved all issues we will remove this message. This is not a security issue, don't worry!"

SophosLabs researcher Paul Baccas took a look at the PDF file, and sure enough he confirmed that it was malicious, and exploited a number of different Adobe Reader vulnerabilities. Paul told me that the PDF does attempt to exploit CVE-2010-2883 (patched in Adobe Advisory APSA10-02), the SING Table Parsing Vulnerability and other vulnerabilities depending on the version of Adobe.

Sophos products detect the file as Mal/PDFEx-C.

Someone has also submitted the file to VirusTotal, where you can see what some other security vendors are calling it.

Interestingly, the boobytrapped PDF can display a CV as a decoy while doing its dirty work.

CV PDF decoy

A number of VioVet customers have posted messages on the company's Facebook page, confirming that they had also received the email. The firm's response on Facebook was a little curious, however, as it appeared to suggest that the emails had been "spoofed", and hadn't really come from their systems.

However, VioVet does confirm that it has removed "offending software" from its servers.

VioVet statement on Facebook

VioVet's website carries a warning to customers, about the incident explaining that the malicious spam messages were sent via a "legacy email system".

Whilst this is highly embarrassing, this is actually a good thing - we now know without any doubt that whoever did this did not have access to anything other than being able to send out some emails to customers.

In summary, it sounds like hackers were able to abuse VioVet's old mailing list software to send out a spam message to their customer base. That's a good reminder to everyone to make sure that obsolete software is removed from your servers - you may no longer be using it, but if it's just sitting there unpatched and unprotected it could potentially be exploited by cybercriminals.

, , , ,

You might like

One Response to Malicious PDF attack spammed out from compromised VioVet email system

  1. Michael · 1143 days ago

    WE RECEIVED THE $50 OFFER THIS MORNING IN FIJI AND AVG IDENTIFIED IT AS THREAT NAME TR/Dldr.slo

    Regards,

    Michael

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.