Emails disguised as electronic cards have been used as bait over and over again for malicious intent. The fact that they are overused is a clear indicator that this lure indeed works. Websense Security Labs™ and the Websense ThreatSeeker® Network recently came across an e-card themed email. Our customers are protected from this threat by ACE, our Advanced Classification Engine.
Let us first look at the sample email. The URLs used in the emails are either compromised sites or were only created barely two weeks ago.
Screen shot 1 : Sample email that the Websense Email Threat Team got hold of recently
Clicking the URL withing the email directs you to a site containing obfuscated code similar to the one shown on Screen shot 2. This code then creates an iframe containing another URL which you can see on Screen shot 3.
Screen shot 2 : Obfuscated code of the URL that came with the email
Screen shot 3 : Deobfuscated code of the URL from the email.
The contents of the URL specified in the iframe contains another obfuscated script. This script, which uses a strikingly similar redirection code in our recent blog, in turn drops the exploit code and runs a rogue AV on the victim's machine.
Screen shot 4 : Code snippet of the URL specified in the iframe used in redirection
Having the victim click on the link and then download an executable is usually the norm on these type of attacks. However, in this case, victims are exploited, and malware is downloaded and executed simply by clicking the URL link that came with the email.
Screen shot 5 : Snapshot of the malicious website used in the email
Websense Email Security and Websense Web Security protect against these kinds of blended attacks.