Criminals are spoofing the email addresses of several well-known antivirus vendors to trick victims into downloading a malicious file that will supposedly remove a non-existent infection purportedly causing their systems to send out infected email.
US security firm Websense said Wednesday it had blocked 2700 emails fitting this description in the past day, describing it as a “low-volume” campaign.
The brands in the batch of malicious spam WebSense detected included Symantec, Sophos, F-Secure, Verisign, and Secure Root. The spoofed email addresses were: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org.
Like other scareware ruses, recipients are encouraged to click on a link that directs them to download a malicious executable file after a supposed security scan indicates their computers are infected with the non-existent worm, W32.Swizzor.C-WORM.
The spam’s authors claim the link will lead victims to a free malicious software removal tool from the vendor.
The subject header of the spam in the case Websense highlights is: “[Symantec] - Your e-mail account may be blocked”.