Posted December 20, 2013
Scammers launched an email campaign today that uses the Best Buy brand. A fairly obvious phishing email, it begins with the strangely worded subject line, “Delivery Canceling”, and contains a number of syntax and grammatical errors and oddities typical of low-end con artists. Examples include, “we will pay your money back less 17” and “your order was reserved for the time of Christmas holidays.” This was either a very poor or possibly machine-based literal translation paraphrasing something that undoubtedly sounded natural in its original language.
Based on the copies of the message captured by Cyveillance, the embedded links lead to a version of the “Sweet Orange” exploit kit, resulting in a drive-by download. Neither VirusTotal nor Cyveillance Labs’ five-year history of “in the wild” infections have seen the exact binary before, indicating it is either a zero-day payload or, more likely, a padded or modified version of a known malware package. We are continuing to analyze this, but in the meantime, researchers can access the malicious site by accessing this URL (note, the HTTP string in the protocol must be corrected):
(WARNING: This is an infectious link leading to a potentially dangerous payload. Not recommended outside of a safe/lab environment. Since these links are typically short lived, future searches should use the MD5 for the payload we received: b94e1b2ebd33d65de4601adffe18d10c.)