Spam mails are very annoying, so we turn to spam filters to avoid ending up with an inbox flooded with them. Unfortunately one “anti-spam filter” we’ve encountered isn’t driving junk out, but letting them in.
We have received an email message claiming that it is from Webmail Support. It is posing as a security announcement and states that the recipient’s mail server is sending out spam because it is infected by a virus that could contaminate their contacts and other users of the network.
To correct this, it recommends the recipient to download and install an Anti-Spam filter then scan their computer so that they would not block the recipient’s email account.
The message was in Portuguese and is roughly translated to English as:
Dear user, I found that your mail server is automatically sending messages known as SPAM, contami your contacts and other users of the network with the Virus 32/Fbd, it sends false messages to e-mail servers.
We recommend the installation of the system Antispam, that it be corrected. Otherwise, the provider of WebMail will be given the right to block all of your e-mail account. Grateful for the attention!
Download Program Antispam filtering below and do a scan on your computer.
Protection of the Webmail service.
* Message for automatic spam filtering. You need not answer it
However, clicking the link given will trigger download a malicious file instead.
The downloaded file is detected as TROJ_DLOADER.MCS. TROJ_DLOADER.MCS drops TSPY_KEYSPY.S which logs keystrokes on the affected system, then sends all gathered information to a remote user. Successful execution of the mentioned routines could lead to the compromise of the affected system, and loss of critical information.
The Trend Micro Smart Protection Network provides complete protection from this attack, as all three components of this attack: spam, malicious URL, and malicious files, are already blocked and detected respectively.