Updated The malicious spam campaign I have blogged about for the last few days has morphed again, adopting a range of new disguises.
The most prevalent messages SophosLabs is intercepting claim to come from Skype with the subject line “We’ve delivered your purchase” and have an attached file called (rather unimaginatively) file.html.
Opening the attached file, which Sophos detects as Troj/JSRedir-BO, redirects your browser to a Canadian pharmacy website selling online drugs such as Viagra and Cialis. As you’re winging your way to that online drugstore, however, you can also be hit by an exploit which attempts to load a booby-trapped PDF and slap you with an infected EXE file via some Java exploits.
As in the previous examples of the attack, there is no text in the message body.
It’s not just the Skype disguise, however. We’re also seeing a variety of other subject lines being used, with the filename photo.html. Again, Sophos detects the file as JS/Redir-BO.
These additional subject lines all appear to be romantically themed:
I Love You Forever
Just You And Me
Expressions Of Love
A Love Everlasting
Love, Always And Forever
Words Could Never Say
More Than Words Can Say
I'm Forever Yours
Our Future Together
You're The One
Missing Piece of the Puzzle
Forever Hasn't Gotten Here
I Want To Be Your Everything
Because Of You
Through Good and Bad
You Are My Sunshine
Love Is Huge
My Husband, My Lover
and many more..
The danger, of course, is that users may be tempted to open the photo.html file to see who has sent them the romantic missive.
Sophos detects the messages as spam, and the attachments as Troj/JSRedir-BO. If you’re not using Sophos products to scan your email then you should contact your vendor to check that you are protected.
Update The spam campaign is now using a file attachment called open.html, which Sophos still detects as Troj/JSRedir-BO. Obviously the bad guys can change the disguises they use at any time, so remember to have your wits about you.