Spam Email: “Incoming voice mail – 5:28AM” / “WhatsAppNotifier [[email protected]]”

Today we have received a suspicious email

From: WhatsAppNotifier <[email protected]>
To: [redacted]
Subject: Incoming voice mail – 5:28AM
Date: Sun, 27 Sep 2015 05:28:11 +0000


If the potential victim clicks “Listen” then they are directed to[.]vn/wp-content/uploads/tomahawk.php on . HTTP request/response below:

The HTTP response above contains a javascript which contains the String.fromCharCode function. Beautifying the javascript code using would result in the following script:

The victim would automatically be pointed to the domain : herbalhotpurchase[.]ru on which -during the time of writing- points to a 403 page:

The spam itself appears to have been sent from a compromised webmail account at [email protected]

Leave a Reply