The bogus invoice looks good enough to fool many (click on the screenshot to enlarge it):
"The link 'View/Download' ends in download.jpg.exe, while the 'Cancel' and 'Not your order' URLs end in check.php," shares Graham Cluley. "The smart social engineering bit is that, whether you are simply curious what this is about or furious about this unauthorized charge, you are still likely to click one of the links."
A click on the former link will automatically download the malware, while a click on the latter ones will take the victims to a bogus IRS page warning them that they are using an unsupported browser.
But this is simply a smokescreen designed to puzzle the user while the Blackhole exploit kit works furiously in the background, trying to exploit a host of Oracle Java, Adobe Flash Player and Adobe Reader vulnerabilities.
If it succeeds, the victims' computer is infected with a variant of the Zeus / Zbot banking Trojan. If not, they are offered a download of the latest version of their browser. The offered file is named update.exe and is also a Zeus Trojan variant.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.