Another mass-spammed redirect (leading to fake AV)

Filed Under: Malware, SophosLabs, Spam

In what seems to be a fitting close to the week, today we have seen further waves of mass-spammed JavaScript redirects.

Fairly typical social engineering is used in the email messages to entice the user into opening the attachment.

Double-clicking the attachment will load the HTML file in the default browser and (depending on the browser security settings) run the malicious JavaScript. The script forces a redirect to a page on a remote site, where the user is shown a 'please wait' page, and redirected again after 4 seconds. This redirect page is being hosted within hacked legitimate sites.

So, why is there a 4 second delay before this redirect? If you look at the source for the 'please wait' page you can find the answer; in addition to the META redirect, the page contains an iframe to some other remote site.

If you think this is starting to look familiar, you are quite right. Richard blogged about something similar earlier in the year. Back then, the iframe was used to load malware, and the META redirect used to take the user to a spam site. In the current attacks, the META redirect is now taking the victim to a fake AV site, where they are subject to the usual fake system scan.

Unfortunately, the pages I have seen referenced by the iframe have been unavailable thus far, but I would expect the usual bunch of exploit scripts to be sitting there.

This attack provides a good example for describing what we mean when talking about layered protection. So, how exactly are Sophos customers protected from this attack:

  • The spam messages are being pro-actively blocked by Sophos anti-spam products
  • Detection for the spammed out redirects has been updated, as JS/WndRed-B
  • The 'please wait' redirection page is pro-actively blocked as Troj/Iframe-FK
  • The scripts used on the fake AV site are pro-actively blocked as Mal/FakeAvJs-A
  • The fake AV payload itself is pro-actively detected as Mal/FakeAV-EI

Additionally, the URL filtering that is available in the web appliance and the 9.5 endpoint products pro-actively blocks the fake AV sites and sites referenced in the iframes. This means that even before today's update to the JS/WndRed-B detection, Sophos customers were already protected from this attack, in several ways. Another good reason to upgrade to the latest 9.5 product version!

You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.