Graham Cluley, technologist at SophosLabs, is warning of a new campaign that sends unsolicited emails to victims with the subject line, "An important notice about security.”
The body reads:
“We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.
We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:
* Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
* Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
* Use a strong password. If your password is weak, you can create a new one [LINK]
We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.
Support Team”
Cluley points out that the mail, of course, doesn’t actually name the supposedly concerned entity.
“With no clear details in the email, the only way to find out is to click on the links... right?”, he said. “Well, if you do that, you'll find your browser taken on a journey which ultimately (via some temporary redirects) leads you to a Canadian pharmacy website, trying to sell you Viagra and Cialis.”
The campaign is clearly using the disguise of an important security notice as a highly effective form of social engineering, “complete with sensible advice to use strong passwords, and be wary of unsolicited emails!” Cluley said. Oh, the irony.
The Viagra/Cialis advertising ploy adds a level of annoyance to computer users, but whoever is behind this campaign could easily change the redirects to point to a more malicious webpage, or a phishing site if they wished. To protect themselves, consumers and enterprise users alike should always follow the rule to be suspicious of unsolicited emails, whatever subject or form they may take.
Cluley also said that Sophos has had reports from customers who have received bogus Facebook notifications pointing to the same site. “We all probably know someone who is so addicted to Facebook, and stalking their friends' online activity, that they wouldn't hesitate from clicking on a link which they believed had come from the social network,” he said.