Voice Message emails contains security threat

MX Lab, http://www.mxlab.eu, started to intercept a large campaign by email with the subject “Voice Message #0768384921 (numbers may vary)” and is continuation of the previous campaign targeting RBS customers.

This email is send from the spoofed address “Message Admin <martin.smith@essex.org.uk>” and has the following body:

Voice redirected message

Sent: Thu, 13 Nov 2014 11:54:24 +0000

The embedded URL in our sample leads to hxxp://crcmich.org/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed.