Sophos Cloud Optix
It seems there’s a new scam flooding our mailboxes today which uses a technique which may get people to panic into doing something they shouldn’t. We’ve seen a number of different messages all using the same technique of thanking the user for having made a payment for a service or product that the user didn’t order.
Each message also conveniently contains a link to view or track the order — but of course these aren’t links to the actual websites. Interestingly enough they don’t lead you to phishing pages, but rather to a compromised domain containing a script that redirects the user to whatever payload the scammers desire. Currently it’s redirecting to a Canadian Pharmacy page, but earlier in the campaign they were leading to a FakeAV page which we’re detecting as Mal/FakeAV-EI.
As always, pay attention to the link you’re about to click when going through your email. In some cases, simply clicking the link will be enough to infect your machine with a drive-by-download, although keeping your browser up to date, using a browser such as Firefox and using a plugin such as NoScript can prevent many of these infections.