The browser is redirected to the web page showing the notification as follows:
The script looks like as shown below:
The deobfuscation results in the following code.
Again, the iframe loads content from third-party domain hosting Browser Exploit Pack (BEP). The interesting fact is that, we received a number of emails within a span of time. Every new phishing email has a new embedded URL as follows:
hxxp://tainguyenso.com/admincp/amazinhdtv.html [V Bulletin]
These emails look very genuine and authentic. It is highly advised that to be paranoid and think twice before interacting with these emails.
Check previous post about LinkedIn Phishing Attack - http://secniche.blogspot.com/2012/08/linekedin-invitation-phishing-blackhole.htmlhttp://secniche.blogspot.com/2012/08/linekedin-invitation-phishing-blackhole.html