Last Updated: 2013-07-13 01:53:01 UTC
by Lenny Zeltser (Version: 1)
We received a report of a recent scam that persuaded the victim to click on a link that claimed to be a recorded voice mail message. (Thanks for the pointer, Sean Thomas.)
According to VCU, the scammer's message had the following contents:
Subject: Voice Mail from 703-892-1228 (55 seconds)
You received a voice mail : N_V50-062-NIDS.WAV (182 KB)
This e-mail contains a voice message.
Double click on the link to listen the message.
Sent by Microsoft Exchange Server
Better Business Bureau published a screenshot of a similar message. According to BBB, although the "attachment appears to be a .wav audio file, but it’s really an HTML link that redirects recipients to a malicious website."
As far as we can tell, there is no email attachment in this attack; the message claims to contain a WAV file, but merely includes a link that claims to allow the victim to play that "voice mail."
XtremeComputer.com examined one instance of this attack, stating that the link directed the recipient to "hxxp: //tweetsbazaar.com /5ACeRRyc /index.html" or "hxxp: //www.luckylu.de / EuaWg3cd / index.html". The victim's browser was then presented with a malicious Java applet "Gam.jar" and was further redirect to a URL at 173. 255. 221.74.
If you have additional details regarding this scam and the associated client-side attack, please let us know or leave a comment.
-- Lenny Zeltser
Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.