Same old social-engineering

It often surprises me that malware authors continue to stick to the same old social engineering tricks to dupe victims into infecting themselves. Whether this says more about the malware authors or the large pool of people that are susceptible to the attacks is not clear. Whatever the case, it is clear that user education continues to be important.

A couple of campaigns using traditional social engineering lures that typify malware distribution today are outlined below.

The first attacks involve a combination of spam, compromised web sites and social engineering. The attacker has been sending out waves of sensationalist spam messages, encouraging the recipient to click on a link in the message to visit a web site.

[Example subject lines from spam messages]

Each message contains a URL linking to some web site. The sites are not outright malicious – the attackers are using a series of legitimate sites onto which various malicious files have been loaded. These include the page to which the user is directed from the spam message – normally, about.html, news.html or main.html. The page presents the user with a fake image (actually an animated GIF):

[Fake video image]

The web page contains a META redirect pointing to an executable uploaded to the compromised site:

[META redirect to executable]

The web page is pro-actively blocked by Sophos as Troj/ExePage-A. Clicking on the fake video, or remaining on the page for a few seconds results in the victim being prompted to download and run an executable watch.exe. The file is malicious, pro-actively detected as Mal/EncPk-DA.

The second case is a little more blatant. Many spammed out messages luring recipients into clicking on a link to view nude photos of Angelina Jolie.

[Spammed out Angelina Jolie message]

As with the previous example, some of the sites being referenced in these messages are not outright malicious, but legitimate sites to which malicious files have been uploaded. (Looking through a variety of the sites, it is clear that a number of image galleries have been exploited.) Anyone clicking the link will download a malicious Win32 executable and potentially infect themselves with Mal/TibsPk-D.

So, in this blog I have shown two very active campaigns that we have seen this week. Nothing hugely exciting or novel, but good examples of how the blend of spam and compromised web sites forms the bread and butter of malware delivery today. And it is obvious that the same old social engineering tricks are still working. The only thing that changes is the subject – Britney is so yesterday…