Below is a screen shot of the email message as seen by an unsuspecting user:
Analyzing the attached file, we notice the following obfuscated script:
Beautified results: We can identify the use of substitution to derive the relevant URL. The "replace" section of the script performs a simple substitution to generate the domain name.
Below we have the de-obfuscated URL:
Following are the results of URL analysis within our tracker. As you can see, we have numerous live real-time analytics protecting against this type of threat and its derivatives:
Websense Messaging and Websense Web Security customers are protected against these attacks.