SophosLabs is currently intercepting a widespread malware attack, being spammed out to innocent internet users under the disguise of a mailbox deactivation notice.
The emails, which have a subject line of “your mailbox has been deactivated”, pretend to come from the recipient’s domain. For instance, if your email address was [email protected] the emails would pretend to be from [email protected].
Subject:
your mailbox has been deactivated
Message body:
We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.
Best regards, [domain name] technical support.
Attached to the emails is a zip file – utility.zip. Under no circumstances should you run the program contained inside the Zip file as it contains the Mal/EncPk-LP Trojan horse.
The clever thing about this attack, of course, is the social engineering. We’ve seen this trick before (of pretending to be from the administrators of your email system) but the reason why it is still being used is because it works. Users panic if they think they might be at risk of having their umbilical cord to the internet cut off and may race to open the attachment before thinking about the malice that might lie behind it.