Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scam Report - Fake Voice Mail Email Notification Redirects to Malicious Site

 We received a report of a recent scam that persuaded the victim to click on a link that claimed to be a recorded voice mail message. (Thanks for the pointer, Sean Thomas.)

According to VCU, the scammer's message had the following contents:

Subject: Voice Mail from 703-892-1228 (55 seconds)

You received a voice mail : N_V50-062-NIDS.WAV (182 KB‎)

Caller-Id: 703-892-1228
Message-Id: 458AH-PEL-02UEU

This e-mail contains a voice message.
Double click on the link to listen the message.
Sent by Microsoft Exchange Server

Better Business Bureau published a screenshot of a similar message. According to BBB, although the "attachment appears to be a .wav audio file, but it’s really an HTML link that redirects recipients to a malicious website."

As far as we can tell, there is no email attachment in this attack; the message claims to contain a WAV file, but merely includes a link that claims to allow the victim to play that "voice mail." examined one instance of this attack, stating that the link directed the recipient to "hxxp: // /5ACeRRyc /index.html" or "hxxp: // / EuaWg3cd / index.html". The victim's browser was then presented with a malicious Java applet "Gam.jar" and was further redirect to a URL at 173. 255. 221.74.

The Jsunpack website captured contents of one instance of the exploit being delivered via Gam.jar from, which (not surprisingly) contained the malicious Java applet and obfuscated JavaScript. This looks like an instance of the Blackhole Exploit Kit.

If you have additional details regarding this scam and the associated client-side attack, please let us know or leave a comment.


-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog.


216 Posts
Sep 14th 2012
We got one too. Though ours was referring to a URL of hxxp://

Has anyone mentioned how cool the new response-policy zones in bind are? :-) I'm updating our own private RPZ now...

127 Posts
We got a few as well. Ours went to hxxp:// and hxxp://

So it looks like they have a lot of domains. The file that it was trying to download from the address was "calc.exe". Thankfully, we block executable downloads.
3 Posts
We have had Better Business Bureau, ADP, FDIC, Wells Fargo, voice mail notifications all this week. The links all varied depending on the email.
2 Posts
Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit
13 Sep 2012

160 Posts

Sign Up for Free or Log In to start participating in the conversation!