World Cup Bad News – Malicious Spam

 

Websense® Security Labs™ ThreatSeeker™ Network has detected a new wave of interesting malicious emails.  At the dawn of the eagerly anticipated World Cup tournament, we would expect to be inundated with suitably themed spam.  The sample we have encountered today is a little different from the usual, as the technique used may not raise suspicion.  We have seen over 80,000 email messages in this new campaign, which uses an HTML attachment with an embedded JavaScript.  Upon execution, this script leads to a malicious Web site, from which we are protecting our customers with our real-time analytics in our ACE engine.

 

You will remember that this same technique of using JavaScript to link to a malicious Web site was used in a different spam campaign only yesterday.

 

Below is a screen shot of the email message as seen by an unsuspecting user:


 

Analyzing the attached file, we notice the following obfuscated script:

 

 

Beautified results: We can identify the use of substitution to derive the relevant URL.  The "replace" section of the script performs a simple substitution to generate the domain name.  

 

 

Below we have the de-obfuscated URL:

hxxp://www.advanced[removed].com/xnu4ej/z.htm

 

Following are the results of URL analysis within our tracker. As you can see, we have numerous live real-time analytics protecting against this type of threat and its derivatives:

 

Websense Messaging and Websense Web Security customers are protected against these attacks.

Read More »