Yet another "Skype Themed" malicious spam.
We are currently processing several thousand messages in yet another email spam campaign, this time related to Skype and all its goodness.
Unlike the other malicious campaigns we have seen recently, this one does not make use of an attachment, but instead provides the unsuspecting user with a URL to download add-ons for Skype, which are malicious. The URLs themselves are fairly new: the domains being used are no more than a month old. As a result of this they do not appear suspect, and with enticing and legitimate-enough names, a user could easily be misled into thinking these are for a good cause.
The structure of the email message looks very well composed, as it has all the necessary words to make it look legitimate as can be seen from the screenshot below.
The URLs themselves consist of a number of redirections until reaching that of the payload, where a shadow.js file which contains a malicious routine is appended to the URL.
The aim of this campaign is to lure users into divulging sensitive information such as credit card details, name etc as it provides the user with a payment page which masquerades as a url using ssl for secure payment as can be seen from the screen shots below.
The user is presented with the above screen upon clicking on the url within the email message where the first of the redirections would have already occured.
From this point on, the gathering of data takes place as the phishing for user information begins.
Here the final stage of the Phishing plot occurs as the user is prompted for the all important payment details (In this instance Credit Card details).
The last of the screen shots focuses on the certificate information as this comes across as legitimate with the change in protocol from http:// to https://.
At present we have seen over 15,000 of these email messages through our Websense Hosted Email Security product.
Websense® Messaging and Websense Web Security customers are protected against this attack.
