• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   When Spam Promises the Stars

When Spam Promises the Stars

  • Posted on:June 17, 2008 at 11:54 pm
  • Posted in:Bad Sites
  • Author:
    Jovi Umawing (Technical Communications)
1

…never believe it, for recipients of such email messages are bound to find out that, indeed, some promises are meant to be broken.

Trend Micro Advanced Threats Researcher Joey Costoya discovered the latest spam to hit the wild this week, with a technique that is hardly out of the ordinary—since such a come-hither tactic had been seen many times before—and an infection sequence that can make heads spin.

The said spam entices recipients using famous female celebrities to download a purported media file, such as an MP3 or image file, by clicking on a link in the message body (see Figure 1).


Figure 1: Screenshot of Sample Spam Email

Once spam recipients click on Download now, they are directed to the site hxxp://{BLOCKED}lic.fr/index.php, which in turn redirects to a landing page in hxxp://{BLOCKED}lic.fr/index8.html. This page then displays a small dialog box with standard option buttons (see Figure 2), and clicking on any of them (or anywhere inside the dialog box for that matter) leads users to hxxp://{BLOCKED}lic.fr/video.exe, from where an executable file bearing the name VIDEO.EXE is downloaded. This file name suggests that the spam authors further trick users into thinking that the download is a legitimate media file.


Figure 2: Screenshot of the landing page, index8.html which contains a white screen with a small square image on the top left corner, along with the dialog box

Trend Micro now detects this file as TROJ_ZLOB.FZI.

Costoya adds that the said landing page contains a (1) META tag that directs recipients to also download the executable file; and an (2) IFRAME tag that points to the site http://{BLOCKED}lic.fr/pindex.php, wherein the PHP page contains a JavaScript (JS) that attempts to lead users to download yet another executable file—this time from http://{BLOCKED}lic.fr/load.php. The download fails, however, due to an error in this PHP page’s code.

Below is a list of other possible message bodies used by this spam:

  • Cameron Diaz Full dvd!!!
  • Demi Moore Gallery sexy songs!!!
  • Jennifer Aniston Gallery photo!!!
  • Jennifer Lopez Interesting photo!!!
  • Kate Moss Stunning photo!!!
  • Meg Ryan Stunning porno dvd!!!
  • Monica Bellucci Interesting video with a naked celebrity!!!
  • Penelope Cruz Full video with a naked celebrity!!!
  • Rihanna Kick-up mp3!!!
  • Veronika Zemanova Shocking mpeg4!!!

Costoya noted that all the pages only load in Internet Explorer (IE).

Trend Micro users are advised to keep their pattern files updated and to regularly scan their systems. Avoid clicking on links from emails coming from questionable sources, even from a viable source unless verified by the sender themselves. It also never hurts to keep applications patched to keep systems away from vulnerability exploits.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: celebritysocial engineeringSpam

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.