Amazon orders and email confirmation leads to PDF malware

July 23, 2010 Leave a comment


Since last week, MX Lab intercepts emails with requests to confirm your email address or orders processed by Amazon. This campaign has been received in quite large quantities and we have been investigating what they are about.

At first we thought they where phishing emails but so far we haven’t been able to establish connection with the sites that are mentioned in the URLs included in the message.

This is the latest screenshot of an email requesting confirmation of the email. The lay out is very well done as you can see. The Amazon images are embedded in the message through an image tag and they come directly from servers from Amazon.

But, the links in the email as obfuscated and point to web sites like:

hxxp://busnwsonline.com/index.php?pid=14

Which redirects in this case to:

hxxp://lunchstroke.ru:8080/index.php?pid=14

Following the URL will lead you to short-lived web sites hosting malicious PDF files. The PDF file appears to be offered in an HTML iframe tag so that it can be launched with no interference.

Filed under Malware, Viruses Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 165 other followers

%d bloggers like this: