Establishing Digital Trust: Don't Sacrifice Security for Convenience
The e-mails appear to come from Postepay, with a subject line indicating that they're inviting the recipient to activate a new service. There's no link in the e-mail, which the researchers suggest could trick some recipients into thinking it couldn't be a phishing attack and that it's safe to open the attachment.
If you do so, you'll be served the actual Poste Italiane Web site, while the attachment delivers an iFrame injection that asks for a user name and password. "It's all too easy to imagine that many people who saw such a login screen would be duped into believing that it was genuine, and enter their login credentials without thinking twice," writes Sophos' Graham Cluley.
What makes the campaign even more interesting is that the attack uses the full text of Hamlet's soliloquoy, "To be or not to be," as a hash buster.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Hash busters are random sections of text or sequences of characters which can be added to a file in order to change the ultimate file's checksum," Cluley explains. "In the examples seen by SophosLabs, the HTML file has been adapted to incorporate what is probably one of the world's most famous speeches."
Sophos identifies the malicious e-mail attachment as Troj/Ifrin-A.