Cybercriminals abuse a Google feature to trick users into downloading malware. Mails containing a link that apparently goes to Google.com actually redirect to a site distributing malware. The mails have subjects that resemble a transaction id and contain information about a financial transaction.
Users are then asked to download a .zip file that contains malware. The URL apparently looks safe as it starts with http://www.google.com/url?q= which gives the user the impression he's going to visit a Google site. In reality the Google URL is nothing more than a redirect that could point the user to any URL the cybercriminals want.
Often URLs are obfuscated by using ASCII characters which a format that can be used to transmit characters over the internet. A browser does not see the difference between a regular character or ASCII character, to the browser a "G" is the same as "%47" or "o" is the same as "%6F".
These URLs are hardly human readable and all an user sees is the Google.com domain he trusts. The redirection trick is increasing used, previously mainly by spammers, but now also by malware distributors. When an email contains an URL starting with http://www.google.com/url?q= it's advisable to not click it.
