Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Pizza With Extra Malware | Main | Phony AppleID Notice »

December 08, 2011

More main.php Hijinks [Updated]

Today's episode of As the main.php Malware World Turns features another trick designed to fool recipients into clicking a dangerous link that eventually leads to the Russian-based main.php malware loading page. These tricks have been reported here more often than a Kardashian appears on TMZ.

The subject matter of the latest is some vague contract that's supposedly of interest to you. Here's a sample:

Subject: Your new contract

As we arranged on our last meeting in the office we've got the contract ready, plase study it carefully and let us know whether you accept all the issues.
We've attached the copy of the contract below
Contract.doc 122kb

Best wishes
Laverne Bennett

MD5 check sum: a5e61bd3afa5495e1954b20849faf7d8

There is no attachment. Instead the clickable link goes to a hijacked legitimate web site, where the page loads the Russian-based main.php page into an iframe element. The checksum at the end is completely bogus — just like the so-called "fingerprint" of other messages in this campaign.

A second variation also arrived today:

Subject: Re: Fwd: Changelog New

Good day,
changelog update - Changelog


Fingerprint: 95e1b203-af72084b

Just vague enough to make it look harmless. But it's not. By the way, if this looks familiar, take a look at this Spam Wars Dispatch from June, 2010. Coincidence? No. Same asshole switching between malware loader attachments and links.

Sadly, I believe the creator of the more recent messages leading to main.php has a good handle on what tricks unsuspecting recipients into clicking links. And that makes me mad.

Update (9Dec2011): I saw another version of the contract malarkey:

Subject: The variant of the contract you've offered has been delcined.[sic]

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
Contract.doc 48kb

With best wishes
Beatrice Mcneil

Secure Checksum: 0417d5b304641

Same trick, different wording to get past your best brain defenses.

Posted on December 08, 2011 at 09:12 AM