Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Scam Report - Fake Voice Mail Email Notification Redirects to Malicious Site

Published: 2012-09-14
Last Updated: 2013-07-13 01:53:01 UTC
by Lenny Zeltser (Version: 1)
4 comment(s)

 We received a report of a recent scam that persuaded the victim to click on a link that claimed to be a recorded voice mail message. (Thanks for the pointer, Sean Thomas.)

According to VCU, the scammer's message had the following contents:

Subject: Voice Mail from 703-892-1228 (55 seconds)

You received a voice mail : N_V50-062-NIDS.WAV (182 KB‎)

Caller-Id: 703-892-1228
Message-Id: 458AH-PEL-02UEU

This e-mail contains a voice message.
Double click on the link to listen the message.
Sent by Microsoft Exchange Server

Better Business Bureau published a screenshot of a similar message. According to BBB, although the "attachment appears to be a .wav audio file, but it’s really an HTML link that redirects recipients to a malicious website."

As far as we can tell, there is no email attachment in this attack; the message claims to contain a WAV file, but merely includes a link that claims to allow the victim to play that "voice mail." examined one instance of this attack, stating that the link directed the recipient to "hxxp: // /5ACeRRyc /index.html" or "hxxp: // / EuaWg3cd / index.html". The victim's browser was then presented with a malicious Java applet "Gam.jar" and was further redirect to a URL at 173. 255. 221.74.

The Jsunpack website captured contents of one instance of the exploit being delivered via Gam.jar from, which (not surprisingly) contained the malicious Java applet and obfuscated JavaScript. This looks like an instance of the Blackhole Exploit Kit.

If you have additional details regarding this scam and the associated client-side attack, please let us know or leave a comment.


-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog.

4 comment(s)
Diary Archives