« Changelog Malware Loader | Main | Worm Notice [Not] from Microsoft »

June 18, 2010

The Spamhaus Number One Spammer, Canadian Pharmacy (or affiliates), has been pouring out more poisonous junk recently than the BP oil well.

Most recently, the messages include a small HTML document that is sent as a Base64-encoded attachment. Decoding the attachment reveals a whole lot of JavaScript code that has tons of red herring statements in it (real script-kiddie stuff), but all boils down to a document.href statement that points to a URL whose page is always z.html. Of course, that URL is not the final destination, but merely a waypoint onto the spamvertised web page where that god-awful Canadian Pharmacy peddles its potentially deadly crap.

In the last few days, the social engineering side of the campaigns — the message Subject: lines and enticing bodies — had been directed to recipients who might fall for the "secret admirer" scam. Subject: lines were things like "Love Of My Life", and message bodies were along the lines of:

You Complete Me

open attach and read all ;)

The HTML file attachment for many was named "loveletter.html."

Then, overnight, they (or a different affiliate) supplemented their repertoire with some Angelina Jolie and other "Holywood" [sic] superstar orgy videos, with subject lines in all caps that include the word SCANDAL. "[C]lick attached link and see video now", the message urges.

This morning saw another group, titled "adultfriendfinder new messages", a message body indicating I have three messages from young 20-something women. Yeah.

I urge you not to go down the trail. It is very possible that affiliates are being paid for visits whose referrers are the domains hosting the z.html files. Rewarding those bastards will just keep it coming.