« Phony AppleID Notice | Main | main.php Vector Change »

December 13, 2011

In the apparently never-ending saga of the main.php malware lures, I saw two today, one of which was a variant of the Adobe CS4 license trick.

Here they are:

From: sales1@[my own domain].com
Subject: Re: Fwd: Order K90309811

Hello,

You can download your Windows Vista License here -

Microsoft Corporation

Like the earlier Adobe message, this one attempts to lure with a previous generation product license. Since the crooks aren't really giving anything away, I'm still puzzled why they flaunt a license for an outmoded version.

Subject: Im shocked!

Have you seen how much money has Cameron spent on his new movie?
What a graphics, check out the trailer!

Yes, both lines are underlined, but only the second one is a clickable link.

In the case of both messages, the actual links take victims to hijacked legitimate web sites, where the page contains an iframe that loads (from a URL that ends in main.php) an obfuscated JavaScript page from a Russian web site. Unlike antivirus sites that delve into the particular exploits being used by the malware attacks, I couldn't care less. My concern is teaching recipients of this junk to think twice — if not thrice — about clicking on links from unsolicited email.