Romance and Skype deliveries plundered by spammers

Updated The malicious spam campaign I have blogged about for the last few days has morphed again, adopting a range of new disguises.

The most prevalent messages SophosLabs is intercepting claim to come from Skype with the subject line “We’ve delivered your purchase” and have an attached file called (rather unimaginatively) file.html.

Spam disguised as a delivery email from Skype

Opening the attached file, which Sophos detects as Troj/JSRedir-BO, redirects your browser to a Canadian pharmacy website selling online drugs such as Viagra and Cialis. As you’re winging your way to that online drugstore, however, you can also be hit by an exploit which attempts to load a booby-trapped PDF and slap you with an infected EXE file via some Java exploits.

Sign up to our free newsletter.
Security news, advice, and tips.

As in the previous examples of the attack, there is no text in the message body.

It’s not just the Skype disguise, however. We’re also seeing a variety of other subject lines being used, with the filename photo.html. Again, Sophos detects the file as JS/Redir-BO.

Other subject lines used in the spam campaign

These additional subject lines all appear to be romantically themed:

I Love You Forever
Just You And Me
Expressions Of Love
A Love Everlasting
Love, Always And Forever
Words Could Never Say
More Than Words Can Say
I'm Forever Yours
Our Future Together
You're The One
Missing Piece of the Puzzle
Forever Hasn't Gotten Here
I Want To Be Your Everything
Because Of You
Through Good and Bad
You Are My Sunshine
Love Is Huge
My Husband, My Lover

and many more..

The danger, of course, is that users may be tempted to open the photo.html file to see who has sent them the romantic missive.

Sophos detects the messages as spam, and the attachments as Troj/JSRedir-BO. If you’re not using Sophos products to scan your email then you should contact your vendor to check that you are protected.

Update The spam campaign is now using a file attachment called open.html, which Sophos still detects as Troj/JSRedir-BO. Obviously the bad guys can change the disguises they use at any time, so remember to have your wits about you.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.