This strategy pays off, Infosecurity notes, when legitimate subscribers to the advertised services see the messages, and are coming to the end of their subscription. Human nature takes over, and – curiosity piqued – the hapless internet users click through, and are infected.
According to Webroot threat analyst Andrew Brandt, the linked text in a spammed email his team recently spotted leads to a website that performs a 'drive-by download'.
But it gets worse, as Webroot says its own IT security products are being used as subscription lures in the spammed messages.
"The spammers appear to have done some homework", he said in a weekend security blog posting about the emails, which are branded with the name of the Best Buy US retail chain.
"Some, but not enough. Best Buy currently sells our products through their online software subscription service", he explained, adding that the lures reference a package called 'Webroot Spysweeper with Antivirus Product' – which appears to be a made-up title.
Brandt goes on to say that the message claims it is a subscription renewal notice, and includes a serial number – which does not work – and a transaction date of July 17.
"The link in the message leads to the website of a small bed and breakfast in New Zealand, which has been compromised. We've informed the owners of that website of the spam campaign and asked them to take down the page referenced in the spam message", he said in his security blog.
What's interesting about the attack methodology, Infosecurity notes, is that the hackers appear to combine 'script kiddie' attack vectors, which most internet users could spot quite easily with obfuscated (hidden) code that forces the web browser to open a fake pharmacy website.
The yummyeyes script, says Brandt, "is doing some bad stuff, although for the moment it appears not to be working".
"It attempts to exploit various vulnerabilities, targeting the Java [virtual machine] and Adobe Reader. The page pushes down a lot of obfuscated Javascript, as well as a malicious PDF and another page which tries to get Java to load an applet that isn't present on the server", he added.
Elsewhere on the page, Webroot's threat analyst says that the lower part of the script has an embedded mirror-flipped URL that is effectively backwards.
"Nobody would have ever spotted that one, pointing to blockoctopus.ru in a million years. And by nobody, I mean everybody. Just another example of elite coding skills wasted on halfwitted attempts at crime", he said.