By Dave Michmerhuizen – Research Scientist, Luis Chapetti – Security Researcher
Spammers are always looking for an angle to get onto your computer, and the continued adoption of digital PBX systems has given them a new type of business email to spoof – the email message that contains a voicemail attachment.
Most modern digital PBX systems offer the option of capturing voicemail as a sound file and sending it to the phone’s owner as an email attachment. These messages have become so common that users might not examine them with a critical eye, especially if they are anxiously awaiting a message from someone.
This week Barracuda Labs researchers saw a short-lived but very high volume spam campaign mimicking these sorts of messages.
They are generic, and well written enough not to raise much suspicion. The give-away is that the link to the supposed sound file is actually a link to a compromised Russian website. The fact that it is a link is by itself suspect, as most PBX systems that email voice message files attach the sound file to the email message, as shown below.
The thing is, you don’t want to pass up a voice mail message, do you? What if it’s real? What if it’s important?
Well, those spam links aren’t real, and taking a chance on one of them could ruin your day. The compromised websites that they link to will display a distracting message like this one.
While you wonder about this, the browser is being redirected to an IP hosting the Blackhole exploit kit, which sends malicious code to take over various browser add-ons such as Java, Adobe Flash and Adobe PDF reader. Older Windows Help and Windows Media player vulnerabilities are sometimes targeted as well.
If a vulnerability is found and exploited, then that code goes to work downloading a variant of Trojan.Zeus, one of the most common credential stealers on the internet. This malware injects itself into the web browser stack and silently monitors your internet traffic looking for usernames and passwords to steal, particularly those of banks and other financial institutions. The ultimate aim is identity theft.
As always, be very careful with links in emails. If they don’t look right, or you’re just not sure, don’t click on them.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of these threats.