Bogus wire rejection notices lead to exploit kit

Fake notices about a rejected wire transfer have been hitting inboxes around the world, trying to trick recipients to download the attached malicious file, Sophos warns.

The emails in question usually appear to be a reply to a previous email or a forwarded one, and contain the words “Wire Transfer Confirmation” and occasionally bogus reference numbers in the subject line:

By opening the attached Wire_AMBA01-Rejected.htm file, the users are firstly directed to a webpage displaying a “Please wait a moment. You will be forwarded…” message, then redirected to a compromised Russian website hosting the Blackhole exploit kit.

If the exploit kit manages to find vulnerabilities to take advantage of, the users are served with a number of malicious payloads.

As always, users are advised to never open attachments from unsolicited emails.