Malicious spammers launch major fake anti-virus attack

SophosLabs’s worldwide network of email-monitoring stations has seen a tidalwave of malicious messages being spammed out with an attachment that redirects users’ web browsers to a fake anti-virus attack.

The emails have subject names such as:

  • Parking Permit and/or Benefit Card Order Receipt - <random number>
  • You're invited to view my photos!
  • Appointment Confirmation
  • Your Bell e-bill is ready
  • Your Vistaprint Order Is Confirmed
  • Vistaprint Canadian Tax Invoice (<random number>)

By sending emails that pose as credit card charges and free-to-view holiday snaps from Bermuda, it wouldn’t be any surprise at all if some users clicked on the attached files (which go by names such as Benefit Card Order Receipt.html, Print this album.html, Appointment Confirmation.html, e-bill.html, Vistaprint Order Invoice.html, and Tax Invoice.html).

Here’s a closer look at two of the current spam messages we’re seeing:

Sign up to our free newsletter.
Security news, advice, and tips.

Parking Permit malicious email

You're invited to view my photos!

Opening the attached HTML file, however, redirects your web browser to a hacked website containing a malicious iFrame (which Sophos detects as Troj/Iframe-FK). This, in turn, loads scripts from other websites that load a fake anti-virus attack that Sophos detects as Mal/FakeAV-EI.

Mal/FakeAV-EI often disguises itself as a bogus version of McAfee VirusScan – regular readers of the blog may remember another attack involving this scareware that I wrote about last month.

Fraser Howard, a principal researcher in SophosLabs, recently made the following YouTube video explaining the problem of fake anti-virus software:


We also have a white paper which explains the problem of fake anti-virus in greater detail.

So, in this attack, the hackers are using a mixture of human gullibility, poorly protected websites, and the tried-and-trusted trick of scaring users into believing that they have security problems on their PC to con them into downloading more dangerous software or handing over their credit card details.

Sophos is detecting the various HTML files attached to the spam emails as Troj/JSRedir-CH.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.