Cenzic 232 Patent
Paid Advertising
web application security lab

Unsubscribe Link Malware

Phaithful sent me an interesting bit of what looks at first glance to be spam. Normally I don’t care much about this stuff, but this was actually fairly interesting as it uses social engineering to ask users to click an unsubscribe link (something I typically don’t do as that is a way for spammers to verifiy that your address is valid). Upon clicking the unsubscribe link you are taken to a page with four embedded iframes. Those iframes run a series of JavaScripts that attempt various exploits (one of the files was named metasploit.exe… so that should give you an idea).

Proceed to this URL with extreme caution, it is definitely not benign.

It always is interesting to see a shift in tactics though. Using obfuscated JavaScript is not new. embedding malware into pages isn’t new either. But what is new is using an unsubscribe link to sucker people into visiting the page in the first place. Yet another reason to not click on Unsubscribe links. I guess the CAN SPAM act is the newest tool in virus writer’s toolkit. Educating users that unsubscribe links must be present and function is just anther tool in the arsenal now.

One Response to “Unsubscribe Link Malware”

  1. ha.ckers.org web application security lab - Archive » Email Risks Says:

    […] As we’ve seen malware is pretty prevolant these days - (at least 1/10th the spam I get has .zip or .src or other horrible attachments). Of course this goes beyond the realm of Outlook, Lotus and Thunderbird to the realm of Yahoo Mail, Hotmail and Gmail. Scanning attachments for viruses is one free service that a lot of these webmail clients offer, but it certainly doesn’t offer security from zero-day exploits - so one off targeted attacks will always be possible. And of course there are phishing aspects, or simply links that lead to malicious websites with all sorts of consequences (like the unsubscribe link and the JavaScript port scanner). […]