This morning we began monitoring an email campaign purporting to be scanned documents that you have been sent. This technique is not new, we have seen it used for years now but the messages in each campaign vary slightly from the last. What keeps the cybercriminals using this method repeatedly is that they so closely resemble what these real notifications tend to look like and coupled with the fact that many people are used to receiving legitimate messages of this sort. This creates a somewhat innocuous looking message that people will be likely to open. This current malicious spam campaign is coming in at nearly 1 million messages per hour and the malicious payloads are spread across a total of 136 different domains. The emails all contain a link to one of these domains that hosts a malicious payload that once clicked.. will infect your machine with malware designed to steal your money.
Here is what these messages look like:
Upon initial analysis it appears that these malicious emails are a product of the Blackhole Toolkit. Malware infection has been dominated lately by these types of campaigns that utilize emails with links in order to deliver malware. As usual, we are currently quarantining all variants of this threat.