Scam Report - Fake Voice Mail Email Notification Redirects to Malicious Site

Published: 2012-09-14. Last Updated: 2013-07-13 01:53:01 UTC
by Lenny Zeltser (Version: 1)
4 comment(s)

 We received a report of a recent scam that persuaded the victim to click on a link that claimed to be a recorded voice mail message. (Thanks for the pointer, Sean Thomas.)

According to VCU, the scammer's message had the following contents:

Subject: Voice Mail from 703-892-1228 (55 seconds)

You received a voice mail : N_V50-062-NIDS.WAV (182 KB‎)

Caller-Id: 703-892-1228
Message-Id: 458AH-PEL-02UEU
Email-Id: voice.mail@vcu.edu

This e-mail contains a voice message.
Double click on the link to listen the message.
Sent by Microsoft Exchange Server

Better Business Bureau published a screenshot of a similar message. According to BBB, although the "attachment appears to be a .wav audio file, but it’s really an HTML link that redirects recipients to a malicious website."

As far as we can tell, there is no email attachment in this attack; the message claims to contain a WAV file, but merely includes a link that claims to allow the victim to play that "voice mail."

XtremeComputer.com examined one instance of this attack, stating that the link directed the recipient to "hxxp: //tweetsbazaar.com /5ACeRRyc /index.html" or "hxxp: //www.luckylu.de / EuaWg3cd / index.html". The victim's browser was then presented with a malicious Java applet "Gam.jar" and was further redirect to a URL at 173. 255. 221.74.

The Jsunpack website captured contents of one instance of the exploit being delivered via Gam.jar from 173.255.221.74, which (not surprisingly) contained the malicious Java applet and obfuscated JavaScript. This looks like an instance of the Blackhole Exploit Kit.

If you have additional details regarding this scam and the associated client-side attack, please let us know or leave a comment.

 

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog.

4 comment(s)

Comments

We got one too. Though ours was referring to a URL of hxxp://englishtobe.com/VQAgNL/index.html

Has anyone mentioned how cool the new response-policy zones in bind are? :-) I'm updating our own private RPZ now...
We got a few as well. Ours went to hxxp://fittime.com.au/KnJBLh/index.html and hxxp://verz3.com/eWhJDMB/index.html

So it looks like they have a lot of domains. The file that it was trying to download from the 173.255.221.74 address was "calc.exe". Thankfully, we block executable downloads.
We have had Better Business Bureau, ADP, FDIC, Wells Fargo, voice mail notifications all this week. The links all varied depending on the email.
Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit
- http://community.websense.com/blogs/securitylabs/archive/2012/09/13/voice-mail-notifications-and-adp-emails-lead-to-blackhole-exploit-kit.aspx
13 Sep 2012
.

Diary Archives