Spammers ask themselves, what sort of email will people click on? The offer of a big sale? Notice of a missed package? An email from a lonely Russian girl?
How about a flight you don’t remember booking? If you’re a frequent flyer, the appearance of an unanticipated itinerary in your inbox could have you clicking without thinking, and that would be a very bad thing.
This is especially true if you were the recipient of a very convincing piece of spam we found this week.
One way that spammers enhance the illusion is to construct long confusing links that contain elements that mimic the domain you would expect to see when examining a link. For example, all of the links in this spam point to accidentology.info, a newly-registered temporary domain created presumably just for the purpose of this campaign. However, the name of the web page that serves the initial redirection is:
The intent of the URL is to draw your eye towards the part that says www.aa.com, even though that domain has nothing to do with the link. The actual attacks are delivered from a long subdomain that starts with www.aaa.com.reservation….., which also attempts to disguise that they come from a malicious domain registered only days earlier.
Although all of the links in the spam are slightly different, they all accomplish the same thing – they lead to an instance of the BlackHole exploit kit which examines the browser and serves up an exploit. In our test case, java was exploited:
Ultimately a version of Trojan.Zeus – a password stealer – was installed on the machine, and the Trojan went right to work contacting command and control servers.
Our standard advice applies. Don’t click on unsolicited emails, even if they come from someone you might know. Even if an email appears convincing, visit the website directly instead of clicking on the link within the email. Make this your standard operating procedure and you can avoid clever attacks such as this.