Part 3: Another way of "Protection Centre" spreading

Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of malicious spam relating to Rogue AV's.  

This is not a new type of attack as we have seen a variation of this in the past as blogged about here.  The subject line of the email message and the content is exactly the same with the only difference between the two campaigns being the attachment.  This time the attachment is a pdf file which is an actual resume except this has embedded within it a script which invokes the a prompt to launch a Rogue AV. 

This attack proves just how easy cyber criminals can exploit unsuspecting users as this email seems legitimate enough from its contents and the subject.  So far we have seen in excess of 160,000 email messages with the same subject and content.

The attack is inline with the recent spell of attacks relating to twitter accounts needing passwords reset for users.  The spreading of the pdf file to get unsuspecting users to launch this and run the Rogue AV seems to be the main goal as seen in the previous campaigns.

Currently 19 out of the 41 engines on Virus Total detect the attachement as malicious as a result there is ample coverage for this.

Websense® Messaging and Websense Web Security customers are protected against this attack.