AusCERT has received malicious email messages relating to a scamware operation. At best this is credit card phishing, at worst it could include data stealing malware and ransom-ware.

The spam email reports to be from a company who has released a "2012 edition of Anti-virus" and encourages users to visit their website for a discount on the purchase price.

After clicking on the "list.janmedia1" link provided, the user is redirected to the professional looking web page for a "Scan&Protect" anti-virus package at "hxxp://online-internet-version.com/av/promo/index.asp?aff=11677&camp=XO_jan10_AV".

This means that the "list.janmedia1.com" server is merely used as a jumping off point and is operated by xoopamail.com [aka xoopa.com] a company which specialises in bulk email services. This is interesting as it points to a change in the modus operandi of the attackers towards a more 'crime as businesses with legal subcontractors' oriented operation. The most concerning part of this scam is the professional look and feel of the website. The authors have clearly gone to lengths to create a professional looking site which will reassure victims that the product is legitimate, even though it is not.

This page also includes JavaScript with the dubious quote "Just click CANCEL to accept this offer".

This attack relies on a spam component which should be mitigated by most anti-spam filters. The web site being used to sell the software "online-internet-version.com" [which resolves to 81.17.21.106] has been added to the AusCERT blacklist and should be blocked by administrators.

The URLs: list.janmedia1.com and xoompamail.com are legitimate websites operated by a hosting company. AusCERT cannot condone blocking access to these sites as they are used for legitimate commerce, although administrators may wish to block these if the services they provide are not useful to their organisation.

Prior to publication of this alert it was found that the online-internet-version.com web site had moved on from selling fake anti-virus software to selling fake PDF software.

The site currently looks like this:

Although we cannot be sure it was actually 'selling' anything at all, it might just take your credit card details and close the window. Either way, we didn’t want to give them our credit card details to find out. :)

Safe surfing,

Angus

Update: We have now (Jan 09) started receiving email from the same group regarding "The New 2012 Version of PDF Reader/Writer". From what we have seen this is simply the new version of the above scam.