Malicious ‘Payment request from’ email attack strikes inboxes

Please be careful. Malicious hackers have spammed out the latest incarnation of a campaign designed to compromise your computer – this time disguising their emails as though they were payment requests from eBay.

The emails have a blank message body, but have a file called form.html attached.

Malicious payment request email

Message characteristics:

Subject: Payment request from
From: "eBay" <>
Attachment: form.html

Of course it’s a sneaky piece of social engineering on the behalf of the hackers. Many people would be tempted to open the attachment to find out what on earth the email is about..

And opening the attachment (which Sophos detects as Troj/JSRedir-BV) redirects your web browser to a recently compromised webpage on a legitimate site infected with Mal/Iframe-Q.

Then, as Fraser described in a blog post about an earlier version of the attack, two things happen.

Firstly, your browser is redirected to a spam-related website (for instance, a Canadian pharmacy store). This may make you believe that the attack is merely designed to advertise medications on behalf of the spammers.

Pharmacy website

Furthermore, however, a malicious iFrame also downloads further malware from other third-party websites. This malware can obviously be changed at anytime, but we have seen versions of the ZBot family of malware be distributed in the attack.

As always, the best defence to protect your inbox is to run up-to-date security software (for instance, companies should be scanning their email for combined spam and malware attacks like this) and always be wary of opening unsolicited attachments.

And don’t forget – the emails don’t have to pretend to be from eBay to be malicious. Recently we’ve seen other criminal email campaigns with dangerous html attachments involving Adult Friend Finder, romantic interest & Skype purchases, Facebook porn & Skype payment problems, and Facebook password resets amongst others.