Yesterday I blogged about a widespread spam campaign that posed as a message to “Reset your Facebook password”, but was really designed to redirect you to a Canadian pharmacy website instead. En route you can also be hit by an exploit which attempts to load a booby-trapped PDF and slap you with an infected EXE file via some Java exploits.
Today it looks like the same gang have changed their disguise, spamming out many messages with the subject line “Problem with your payment” pretending to come from [email protected].
Clearly the “from” address has been forged, as is common with spam messages, and your suspicions should be aroused by the fact that there is no text in the body of the message but just an attachment called Skype.html.
Sophos detects the attachment as Troj/JSRedir-BO, meaning that your browser won’t be redirected to a third-party site as the cybercriminals would wish.
Although the vast majority of the spam messages we have seen in this campaign today have used the Skype disguise, I also stumbled across this example which pretends to be an X-rated Facebook message about “porn chicks” teaching a “rookie” about something to do with chickens:
Again, we detect the facebook.html file attachment as Troj/JSRedir-BO.
It’s probably a sad reflection on society that there are many people on the internet who wouldn’t think twice of opening a file attached to an email with that subject line.