A new finance spam campaign with HTML attachments has been discovered that utilizes Google's public DNS resolver to retrieve JavaScript commands embedded in a domain's TXT record. These commands will then redirect a user's browser to a aggressive trading advertisement site, which has been reported as a scam.
According to MyOnlineSecurity.com, who
discovered this campaign, it is being targeted at people in the United Kingdom and the associated IP addresses have previously been utilized by the Necurs botnet.
The spam campaign
These spam emails will have the subject line of "Delivery [number]", such as "Delivery 0802", and will state that an invoice for a recent purchase is attached. This attachment is an HTML file with names like "invoic-B075.html".
... ...