Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec Hosted Services
The FIFA World Cup, which officially started in South Africa last Friday, has been the subject of intense public interest for the past months. This interest in football has been noticed by scammers and malware authors, who are skilled at using high profile events to try to entice unsuspecting users into opening their malicious messages.
MessageLabs Intelligence recently saw some spam for a pharmaceutical site using the World Cup to try to entice users to open the message. The subject of these messages was:
Subject: FIFA World Cup South Africa... bad news
The exact motives of the spammer are unclear, but it's likely that they hope that recipients will read this subject and think that perhaps the tournament has been disrupted somehow (perhaps like the Africa Cup of Nations earlier this year), and then quickly open the message. The body of the message contains more World Cup-related text, enticing recipients to open an attached document, named "news.html":
FIFA World Cup 2010 scandal news, read attached document
From looking at the first few characters ("hJt>t>p>:"), you might have already noticed what's going on. If you remove the "J" and ">" characters, this becomes "http:"--the start of a URL. The code simply removes these characters and some others (5, 2 and 'l') and this reveals the destination URL:
This URL points to a page which the spammer has created on a server which looks to have been compromised. The page contains a hidden 1 by 1 pixel iframe to load a tracking "bug" (presumably so the spammer can monitor the response rate to the spam) and then uses an HTML-based redirect to direct the user to a pharmaceutical web site from where they can buy common drugs.
As the tournament continues, MessageLabs Intelligence expects to see more World Cup-related spam and malware threats emerge.