Spam or virus? Try both.Your Social Insurance Number card has been stolen!!!
Please immediately visit [URL snipped]
Whether a replacement card is requested or a new Social Insurance Number, we suggest that you:
- report the theft of the Social Insurance Number card to the police;
- contact credit agencies to request that an annotation be placed on your credit file. You may wish to request that creditors contact you before opening any new account. You should also periodically request a copy of your credit file to verify its accuracy.
- carefully examine any statement or invoice you receive to ensure the charges are legitimate;
Please immediately visit [URL snipped] [mailto: link snipped]
When user did casually mention it, I asked to see the original source as it appeared to be spam and I wanted to see what the spammer was up to. Just what was lurking behind those links?
Luckily, we have Sam Spade to fall back on in these situations, so I plugged the URL into the Sam Spade browser and got a bit of a surprise.
The spamvertised site immediately loaded a PHP script which in turn sent a load of vbscript to the browser...
So, a virus then. Similar to one that surfaced a month or so back which purported to be a security update from Microsoft. The "Social Insurance Number" is a creative twist. I wonder how many will fall for that?
Source IP (possibly an open proxy which tends to suggest that this email was part of the initial seeding of a new virus) was in a Russian network, now permanently blocked here. Spamvertised URL containing the PHP script that builds and runs the executable is still alive after at least 5 days. Will dig around some more and find out where to apply the next clue by four. Watch this space.
Category: Spam characteristics
Technorati: Spam characteristics
Unable to post a comment? Please read this for a possible explanation...
- 