Another mass-spammed redirect (leading to fake AV)

In what seems to be a fitting close to the week, today we have seen further waves of mass-spammed JavaScript redirects.

Fairly typical social engineering is used in the email messages to entice the user into opening the attachment.

Double-clicking the attachment will load the HTML file in the default browser and (depending on the browser security settings) run the malicious JavaScript. The script forces a redirect to a page on a remote site, where the user is shown a ‘please wait’ page, and redirected again after 4 seconds. This redirect page is being hosted within hacked legitimate sites.

So, why is there a 4 second delay before this redirect? If you look at the source for the ‘please wait’ page you can find the answer; in addition to the META redirect, the page contains an iframe to some other remote site.

If you think this is starting to look familiar, you are quite right. Richard blogged about something similar earlier in the year. Back then, the iframe was used to load malware, and the META redirect used to take the user to a spam site. In the current attacks, the META redirect is now taking the victim to a fake AV site, where they are subject to the usual fake system scan.

Unfortunately, the pages I have seen referenced by the iframe have been unavailable thus far, but I would expect the usual bunch of exploit scripts to be sitting there.

This attack provides a good example for describing what we mean when talking about layered protection. So, how exactly are Sophos customers protected from this attack:

  • The spam messages are being pro-actively blocked by Sophos anti-spam products
  • Detection for the spammed out redirects has been updated, as JS/WndRed-B
  • The ‘please wait’ redirection page is pro-actively blocked as Troj/Iframe-FK
  • The scripts used on the fake AV site are pro-actively blocked as Mal/FakeAvJs-A
  • The fake AV payload itself is pro-actively detected as Mal/FakeAV-EI

Additionally, the URL filtering that is available in the web appliance and the 9.5 endpoint products pro-actively blocks the fake AV sites and sites referenced in the iframes. This means that even before today’s update to the JS/WndRed-B detection, Sophos customers were already protected from this attack, in several ways. Another good reason to upgrade to the latest 9.5 product version!