X-Labs
June 11, 2010

World Cup Bad News - Malicious Spam

Forcepoint

Websense® Security Labs™ ThreatSeeker™ Network has detected a new wave of interesting malicious emails.  At the dawn of the eagerly anticipated World Cup tournament, we would expect to be inundated with suitably themed spam.  The sample we have encountered today is a little different from the usual, as the technique used may not raise suspicion.  We have seen over 80,000 email messages in this new campaign, which uses an HTML attachment with an embedded JavaScript.  Upon execution, this script leads to a malicious Web site, from which we are protecting our customers with our real-time analytics in our ACE engine. 

You will remember that this same technique of using JavaScript to link to a malicious Web site was used in a different spam campaign only yesterday

Below is a screen shot of the email message as seen by an unsuspecting user:

 

Analyzing the attached file, we notice the following obfuscated script: 

 

Beautified results: We can identify the use of substitution to derive the relevant URL.  The "replace" section of the script performs a simple substitution to generate the domain name.   

 

Below we have the de-obfuscated URL:

hxxp://www.advanced[removed].com/xnu4ej/z.htm

 

Following are the results of URL analysis within our tracker. As you can see, we have numerous live real-time analytics protecting against this type of threat and its derivatives:

 

Websense Messaging and Websense Web Security customers are protected against these attacks.

Forcepoint

Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.