December 08, 2011More main.php Hijinks [Updated]
Today's episode of As the main.php Malware World Turns features another trick designed to fool recipients into clicking a dangerous link that eventually leads to the Russian-based main.php malware loading page. These tricks have been reported here more often than a Kardashian appears on TMZ.
The subject matter of the latest is some vague contract that's supposedly of interest to you. Here's a sample:
Subject: Your new contract
As we arranged on our last meeting in the office we've got the contract ready, plase study it carefully and let us know whether you accept all the issues.
We've attached the copy of the contract below
MD5 check sum: a5e61bd3afa5495e1954b20849faf7d8
There is no attachment. Instead the clickable link goes to a hijacked legitimate web site, where the page loads the Russian-based main.php page into an iframe element. The checksum at the end is completely bogus — just like the so-called "fingerprint" of other messages in this campaign.
A second variation also arrived today:
Subject: Re: Fwd: Changelog New
changelog update - Changelog
Just vague enough to make it look harmless. But it's not. By the way, if this looks familiar, take a look at this Spam Wars Dispatch from June, 2010. Coincidence? No. Same asshole switching between malware loader attachments and links.
Sadly, I believe the creator of the more recent messages leading to main.php has a good handle on what tricks unsuspecting recipients into clicking links. And that makes me mad.
Update (9Dec2011): I saw another version of the contract malarkey:
Subject: The variant of the contract you've offered has been delcined.[sic]
After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
With best wishes
Secure Checksum: 0417d5b304641
Same trick, different wording to get past your best brain defenses.Posted on December 08, 2011 at 09:12 AM