SpyEye Tries to Ruin Your Retirement
A few moments ago a very large campaign began hitting our filters posing as a newsletter from Resource Nation which is a business to business lead generating service. This newsletter was built to look as though it contained a good amount of information regarding 401k accounts. With sections entitled "Is Your Company 401k Saavy", "Guide to Learning 401k Terms", and "Considerations When Structuring Your Company's 401k Program". These were definitely made to seem innocuous, and possibly even helpful. The only problem with them that may be initially obvious is that the creators of this campaign have appeared to mix up the content and the emails' subject lines. The subject lines don't appear to match the retirement account content. They read "Your Windstream bill is available for viewing". The authors may have realized this and pulled the plug because this campaign started out strong and disappeared just as quickly.
In many of these campaigns the URL that is used to get people to these malicious domains is randomized just enough to make them tougher to spot, however these were all very similar making them much easier. The format was http://[COMPROMISEDDOMAIN.TLD]/[RANDOMSTRING]/index.html?s=883&lid=2324&elq=11f7b1b5179f45b09737bdf10d0fe61f
Always be cautious when you receive unsolicited email, sometimes they can be rather convincing. Meanwhile we at AppRiver are blocking all known variants of these campaigns.