Romance and Skype deliveries plundered by spammers

Filed Under: Spam

Updated The malicious spam campaign I have blogged about for the last few days has morphed again, adopting a range of new disguises.

The most prevalent messages SophosLabs is intercepting claim to come from Skype with the subject line "We've delivered your purchase" and have an attached file called (rather unimaginatively) file.html.

Spam disguised as a delivery email from Skype

Opening the attached file, which Sophos detects as Troj/JSRedir-BO, redirects your browser to a Canadian pharmacy website selling online drugs such as Viagra and Cialis. As you're winging your way to that online drugstore, however, you can also be hit by an exploit which attempts to load a booby-trapped PDF and slap you with an infected EXE file via some Java exploits.

As in the previous examples of the attack, there is no text in the message body.

It's not just the Skype disguise, however. We're also seeing a variety of other subject lines being used, with the filename photo.html. Again, Sophos detects the file as JS/Redir-BO.

Other subject lines used in the spam campaign

These additional subject lines all appear to be romantically themed:

I Love You Forever
Just You And Me
Expressions Of Love
A Love Everlasting
Love, Always And Forever
Words Could Never Say
More Than Words Can Say
I'm Forever Yours
Our Future Together
You're The One
Missing Piece of the Puzzle
Forever Hasn't Gotten Here
I Want To Be Your Everything
Because Of You
Through Good and Bad
You Are My Sunshine
Love Is Huge
My Husband, My Lover

and many more..

The danger, of course, is that users may be tempted to open the photo.html file to see who has sent them the romantic missive.

Sophos detects the messages as spam, and the attachments as Troj/JSRedir-BO. If you're not using Sophos products to scan your email then you should contact your vendor to check that you are protected.

Update The spam campaign is now using a file attachment called open.html, which Sophos still detects as Troj/JSRedir-BO. Obviously the bad guys can change the disguises they use at any time, so remember to have your wits about you.

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and, and circle him on Google Plus for regular updates.