Follow AppRiver

AppRiver Posts In Your Inbox

Your email:

Browse by Tag

Current Articles | RSS Feed RSS Feed

SpyEye Tries to Ruin Your Retirement

 

A few moments ago a very large campaign began hitting our filters posing as a newsletter from Resource Nation which is a business to business lead generating service. This newsletter was built to look as though it contained a good amount of information regarding 401k accounts. With sections entitled "Is Your Company 401k Saavy", "Guide to Learning 401k Terms", and "Considerations When Structuring Your Company's 401k Program". These were definitely made to seem innocuous, and possibly even helpful. The only problem with them that may be initially obvious is that the creators of this campaign have appeared to mix up the content and the emails' subject lines. The subject lines don't appear to match the retirement account content. They read "Your Windstream bill is available for viewing". The authors may have realized this and pulled the plug because this campaign started out strong and disappeared just as quickly.

However, it was still malicious while it lasted. The links in the newsletter led to one of many different domains hosting a malicious JavaScript file that redirected viewers to 198.136.53.72. From here the malware is installed after the drive-by download leverages a Java vulnerability and drops the SpyEye variant on the victim machine. After this takes place the victim's browser is quickly re-routed to MSN.com.

In many of these campaigns the URL that is used to get people to these malicious domains is randomized just enough to make them tougher to spot, however these were all very similar making them much easier. The format was http://[COMPROMISEDDOMAIN.TLD]/[RANDOMSTRING]/index.html?s=883&lid=2324&elq=11f7b1b5179f45b09737bdf10d0fe61f

Always be cautious when you receive unsolicited email, sometimes they can be rather convincing. Meanwhile we at AppRiver are blocking all known variants of these campaigns.

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics