Malicious PDF attack spammed out from compromised VioVet email system

Malicious PDF spammed out from compromised VioVet email system

ViovetIf you’re a customer of VioVet, the UK pet supplies and medications website, then be very careful opening your email this morning.

Customers are reporting that they have received an email purporting to contain a £50 gift certificate from the company – but the files linked to by the email actually contain malware.

VioVet email

One VioVet customer who received the dangerous email was Naked Security reader Rob Sanders, who told us about his experience:

I received an email to my email address at 12:39am GMT. It was sent to an email address I use solely for Viovet purchases and purported to contain a £50 gift certificate for use on It was sent from support[at] by osCommerce, according to the headers and the IPs appear to check out, so it seems legitimate.

It contains 4 links to a RAR file hosted on 3 file lockers and 1 IP address. The file contains a single PDF which appears to be empty, at least when uploaded to Google Docs. I assume this is an exploit of some sort, so I haven't opened it locally.

Judging by the email and the broken English it's written in, someone seems to have hacked the osCommerce installation on the Viovet website. Their website is also showing a bright red message reading: "We are experiencing intermittent problems with processing payments at the moment, so please do try but if it fails then you should find it works again shortly. Once we are happy that the payment provider has resolved all issues we will remove this message. This is not a security issue, don't worry!"

SophosLabs researcher Paul Baccas took a look at the PDF file, and sure enough he confirmed that it was malicious, and exploited a number of different Adobe Reader vulnerabilities. Paul told me that the PDF does attempt to exploit CVE-2010-2883 (patched in Adobe Advisory APSA10-02), the SING Table Parsing Vulnerability and other vulnerabilities depending on the version of Adobe.

Sophos products detect the file as Mal/PDFEx-C.

Someone has also submitted the file to VirusTotal, where you can see what some other security vendors are calling it.

Interestingly, the boobytrapped PDF can display a CV as a decoy while doing its dirty work.

CV PDF decoy

A number of VioVet customers have posted messages on the company’s Facebook page, confirming that they had also received the email. The firm’s response on Facebook was a little curious, however, as it appeared to suggest that the emails had been “spoofed”, and hadn’t really come from their systems.

However, VioVet does confirm that it has removed “offending software” from its servers.

VioVet statement on Facebook

VioVet’s website carries a warning to customers, about the incident explaining that the malicious spam messages were sent via a “legacy email system”.

Whilst this is highly embarrassing, this is actually a good thing - we now know without any doubt that whoever did this did not have access to anything other than being able to send out some emails to customers.

In summary, it sounds like hackers were able to abuse VioVet’s old mailing list software to send out a spam message to their customer base. That’s a good reminder to everyone to make sure that obsolete software is removed from your servers – you may no longer be using it, but if it’s just sitting there unpatched and unprotected it could potentially be exploited by cybercriminals.