Sophos Cloud Optix
Do you own a mobile phone?
Is your mobile phone on the Vodafone cellphone network?
If so, you could be a prime target for infection by a new malware attack that has been distributed widely via email across the internet.
The attack, which SophosLabs has intercepted in its global network of email spam traps, poses as a notification about a MMS message that has purportedly sent to the recipient’s mobile phone.
Here’s what a typical email looks like:
Subject: You have received a new message
Attached file: Vodafone_MMS-uk.zipMessage body:
You have received a picture message from mobile number +447775226358
To save this picture, please save attached file.
Inside the ZIP file is a malicious program (Vodafone_MMS-uk.jpeg.exe), detected by Sophos products as Troj/Agent-YXP.
The program’s use of a double extension (.jpeg.exe) is clearly a ruse to try to trick people (especially those who have told Windows to hide file extensions) into believing that the file sent to them is a genuine JPEG image rather than malware.
Of course, the messages do not really come from Vodafone. The malicious hackers have simply forged the email headers in an attempt to make their boobytrapped message look more authentic.
And, of course, it would be trivial for the cybercriminals to change their message to make it appear as though it came from another mobile phone network, rather than Vodafone.
The malware is designed to infect Windows computers rather than mobile phones, but human nature being what it is there would be no surprise if some people opened the emails when it arrives on their computer, or forwarded it from their mobile phone to a Windows PC in an attempt to view the supposed picture.
Remember – you should always be suspicious of unsolicited messages, especially when they encourage you to open an attachment or click on a link. Cybercriminals are masters of using your natural curiousity against you, hoping to trick you into infecting your computer.
Slow news day? Minor blip on the Sophos quality line there reporting common or garden hoax email malware story thats been around for half a decade or more but with DHL, Halifax, etc etc instead of Voda. Now an idea on the run up to Xmas would be a similar story but focusing on watching out for the epidemic levels of spam saying "you were out when we tried to deliver the Christmas presents you ordered from Amazon, click here or else" that usually appears right about now.
Slow news? How so?
It's a new widespread spam campaign, helping to distribute a new malware variant.
We could ignore it, but that's hardly going to help people who might be tricked into opening the attachment. Which would be especially bad if their chosen anti-virus didn't protect against it.
Hope that explains our reasoning!
just came back from Italy and felt that maybe a friend sent something. thanks google for keeping us aware of these items.
Perhaps a campagn to get microsoft to have known extensions shown instead of hidden by default!
good point… or it could even be a campaign
I was thinking this might be to do with Voda Aus but then I remembered everyone left them anyway. 😛
PS: Pass this joke onto Paul Ducklin, he'll get it.
From looking at our mail filter, it's not just showing as Vodafone, I've also seen malware proporting to have come from Orange, 02, etc.
I’m getting the same, I can get upto 6 aday!!!!!!! just blocking each one now, and these have only just started coming through now the last couple of days, but i’m getting showered by them!
Have received one today using a Three header
Just got one pretending to be from the 3 network today
Our Sophos software (Endpoint and PureMessage) isn't picking up these at malware
Please submit a sample to our labs so we can look into it. Thanks!
Details of how to submit http://www.sophos.com/en-us/support/knowledgebase…
Our filters have stopped a few of these. Most from mms@telstra.com.au, some from mms@vodafone.com.au. Just waiting for Optus to deliver 🙂
been receiving 3 of these emails a day for the last week. It gets stripped of everything before it even gets to me but this virus is far from new (now March 2014)