Dirty bomb news report leads to PC infection

Filed Under: Malware, Spam

Dmitry from our Vancouver offices has covered this in some detail on the SophosLabs blog, but I thought it was worth sharing with a wider audience.

Hackers are spamming out emails posing as breaking news stories about a bomb blast in your city, in the hope that you will follow the link and infect yourself with malware.

The emails, which have subject lines like "Why did it happen in your city?", "Take Care!", "Are you and your friends in good health?", claim that 18 people have been killed in an explosion and link to what appears to be a Reuters-related news website.

Malicious email containing fake news report

However, clicking on the link takes you to a dangerous website whose only intention is to infect your Windows PC with malicious code. Clicking on what appears to be a video about the breaking news story actually leads to a malicious download.

Part of the text of the website designed to fool the unwary into believing the story to be true, reads as follows:

At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Amsterdam. Authorities suggested that the explosion was caused by a "dirty" bomb. Police said the bomb was detonated from close by using electic cables. "It was awful" said the eyewitness about blast that he heard from his shop. "It made the floor shake. So many people were running"

You'll notice that the hackers did not do a brilliant job in their wording - which might ring alarm bells in some people. But I wonder how many others would be blind to such a clue, and just click on the video regardless?

What is particular clever about the website is not that it pretends to be connected with Reuters (that's trivial for anyone to do as all you need is a copy of the Reuters logo and some generic news report text), but that it attempts to do a GEO-IP lookup on your whereabouts and customises the story to appear as though it relates to your location.

Malicious website posing as a breaking news story

So, for example, if you visit the webpage from London it is likely to claim that the bomb blast has occurred there.

Sophos detects the malware as Mal/WaledPak-E, but users of other security products might be wise to check that their own defences have been updated.

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.