We have observed a fraudulent spam attack masquerading as an email from Symantec. This email is in Portuguese and contains the Symantec logo and coloring, which make it appear as a legitimate email from Symantec. The “From” line is forged to add further credibility. The “Subject” and “From” lines appear as follows:
Subject: Security Check
From: SYMANTEC <Worm@bda.267>
Needless to say, this is not from Symantec. The body of the message contains text that indicates that the Symantec Security Check System has tested your computer and found “X” number of dangerous imperfections. The email goes on to say that your computer is infected with the virus “Worm@bda.267.” Users are encouraged to click the provided link to download updates to protect their systems from further damage from this worm. Incidentally, there is no such virus as Worm@bda.267.
If the link is clicked, the virus will be downloaded onto the victim’s computer. Spammers are using a social engineering technique by leveraging the reputation that Symantec has for antivirus. The spammers are also banking on the hope that if Symantec tells you that you have a virus and provides a link to download protection, you might just click it.
The body of the email looks like the following:
One interesting thing about this attack is the use of “recycling” by the spammers. We’ve seen this exact spam attack before, but not for approximately two years or so. The spam message back then was also in Portuguese and had an almost identical body to this more recent spam. In the previous attack the payload was a downloader, but it is interesting to see that spammers are recycling nearly identical messages several years apart
This is one trick that you shouldn’t fall for. When receiving any emails from any reputable company, always check the headers to verify that they match the company that the message is supposedly coming from. This is especially important in the current flurry of virus emails and if you’re ever in doubt, it doesn’t hurt to send an email or make a phone call—check with the (supposed) sender of the message to make sure that it is legitimate.