Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Malicious E-Cards on the prowl

View all posts > 

Malicious E-Cards on the prowl

Posted: 26 Apr 2011 09:14 PM | Mary Grace Timcang | no comments


 

Emails disguised as electronic cards have been used as bait over and over again for malicious intent. The fact that they are overused is a clear indicator that this lure indeed works.  Websense Security Labs™ and the Websense ThreatSeeker® Network recently came across an e-card themed email.  Our customers are protected from this threat by ACE, our Advanced Classification Engine.

 

Let us first look at the sample email.  The URLs used in the emails are either compromised sites or were only created barely two weeks ago.

 

Screen shot 1 : Sample email that the Websense Email Threat Team got hold of recently



Clicking the URL withing the email directs you to a site containing obfuscated code similar to the one shown on Screen shot 2. This code then creates an iframe containing another URL  which you can see on Screen shot 3.

 

Screen shot 2 : Obfuscated code of the URL that came with the email


Screen shot 3 : Deobfuscated code of the URL from the email.

 

The contents of the URL specified in the iframe contains another obfuscated script.  This script, which uses a strikingly similar redirection code in our recent blog, in turn drops the exploit code and runs a rogue AV on the victim's machine.

 

Screen shot 4 : Code snippet of the URL specified in the iframe used in redirection

 

Having the victim click on the link and then download an executable is usually the norm on these type of attacks. However, in this case, victims are exploited, and malware is downloaded and executed simply by clicking the URL link that came with the email.

 

Screen shot 5 : Snapshot of the malicious website used in the email

 

Websense Email Security and Websense Web Security protect against these kinds of blended attacks.


Filed under: , ,

Leave a Comment

(required)  

Email address: (required)