Date: Wed, 23 Nov 2011 08:28:46 +0700The name of the sender varies, but the approach is to use the same domain as the victim to make it look more believable. In the sample I have, the "Here is the photo" link 404s, but you can guarantee that it is malware.. so don't click that link!
From: Saffi@victimdomain.com
To: victim@victimdomain.com
Subject: Help! I'm in trouble!
I was at a party, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light many times, I've just got the pictures, maybe you know him?
Here is the photo
I need to find him urgently!
Thank you
Saffi
Update: the malicious payload is on blredret.ru (94.199.51.108) at 23vnet Kft in Budapest (again). The Wepawet report is here. Blocking that IP proactively is probably wise.
Update: this spam run is happening again, but with a different set of malicious IPs (read more)
1 comment:
yes last time got the same kind of content!!....were a belive how this possible it comes accross my antispaam
Post a Comment