Millions of Italian people carry Postepay cards.
The pre-paid rechargeable cards, distributed by Poste Italiane, are frequently used to make internet purchases.
And that’s why Italian computer users should be on their guard against a criminal email campaign that has been spammed out, designed to steal usernames and passwords that would give hackers access to Postepay users’ accounts.
At first glance, recipients may think the email looks harmless enough. The sender’s address leads people to believe it is a notification from Postepay, and the subject line says that it is the final notification to activate a new service.
From: "Servizi Informativi" <PostePay@Poste.it>
Subject: Ultima notifica da noi, attivare il nuovo sistema
Attached file: Cliente.html
The lack of a link in the email may even trick some recipients into believing that the email can’t possibly be a phishing attack, and lead them to blindly open the attachment.
If they make that mistake they *will* find that their web browser opens the genuine Poste Italiane website – but through an iFrame injection in the attached file, a pop-up is also displayed (located on a UK pet supply website) posing as a credible-looking request for a username and password:
It’s all too easy to imagine that many people who saw such a login screen would be duped into believing that it was genuine, and enter their login credentials without thinking twice.
What makes this attack a little more interesting is how the spammers behind it have chosen the famous “To Be Or Not To Be” soliloquy from Shakespeare’s Hamlet as a “hash buster”.
Hash busters are random sections of text or sequences of characters which can be added to a file in order to change the ultimate file’s checksum.
In the examples seen by SophosLabs, the HTML file has been adapted to incorporate what is probably one of the world’s most famous speeches – but sadly for anyone hoping to enjoy the great Bard’s use of iambic pentameter the attackers use a CSS trick to ensure it does not get displayed:
<p style="display: none">
To be, or not to be: that is the question:
Whether 'tis nobler in the mind to suffer The slings and arrows of outrageous fortune, Or to take arms against a sea of troubles, And by opposing end them? To die: to sleep; No more; and by a sleep to say we end The heart-ache and the thousand natural shocks That flesh is heir to, 'tis a consummation Devoutly to be wish'd. To die, to sleep; To sleep: perchance to dream: ay, there's the rub; For in that sleep of death what dreams may come When we have shuffled off this mortal coil, Must give us pause: there's the respect That makes calamity of so long life; For who would bear the whips and scorns of time, The oppressor's wrong, the proud man's contumely, The pangs of despised love, the law's delay, The insolence of office and the spurns That patient merit of the unworthy takes, When he himself might his quietus make With a bare bodkin? who would fardels bear, To grunt and sweat under a weary life, But that the dread of something after death, The undiscover'd country from whose bourn No traveller returns, puzzles the will And makes us rather bear those ills we have Than fly to others that we know not of?
Thus conscience does make cowards of us all; And thus the native hue of resolution Is sicklied o'er with the pale cast of thought, And enterprises of great pith and moment With this regard their currents turn awry, And lose the name of action. - Soft you now!
The fair Ophelia! Nymph, in thy orisons
Be all my sins remember'd.
Sorry cybercriminals – that isn’t enough to defeat sophisticated security products. Sophos products block the HTML file attached to the email as Troj/Ifrin-A (If you’re curious, the name comes from “iFrame injection”).
Attacks like this are, once again, reminders for all of us to be careful about what email attachments we open on our computers – even if the email appears to come from an organisation that you regularly do business with.Follow @gcluley
Thanks to SophosLabs researcher Andrew O’Donnell for his assistance with this article.