Experts at SophosLabsâ„¢, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread spam campaign that poses as a breaking news report, but really leads computer users to an infected website. The spam pretends to be a link to news about Iran's controversial decision to continue work at its Ishafan nuclear plant, but is really an attempt to lure innocent computer users into being infected by a Trojan horse and attacked by hackers.
The email pretends to be a breaking news report.
The Isfahan nuclear plant is the main uranium conversion facility in Iran. Conversion is part of the process used to produce nuclear fuel, and when enriched to a low level makes it suitable for use in atomic weapons. The United States and European Union had warned that resumption of work at the plant could lead to Iran being taken to the UN Security Council for sanctions.
"Hackers are spamming out messages claiming to be breaking news stories, in the hope that unwary internet surfers will visit the malicious websites for further information," said Graham Cluley, senior technology consultant at Sophos. "We saw the same gang of hackers use a near-identical trick about the tragic story of US marine deaths in Iraq last week."
Subject lines used in the malicious emails include, but are not limited to, the following:
Iran snubs pleas, resumes uranium shift
TThe PPhantom Menace
Iran to restart U productionn
What will they do with the refined uraniuum?
Where doees Iran get its uranium ores?
How easily ccould U-238 be used to makke a bomb?
Sophos experts believe that the people behind the email attack are using software to deliberately obfuscate and misspell the subject lines in an attempt to avoid rudimentary anti-spam filters.
Windows users who make the mistake of following the web link visit a malicious website which pretends to be a fuller version of the news story:
The website pretends to be a news story about the Iranian nuclear crisis. In reality, the website exploits vulnerabilities in Microsoft's Internet Explorer software to install the Cgab-A and Borodr-Fam Trojan horses. The trojan horses are designed to allow remote hackers to gain unauthorized access to the victim's computer.
"Simply reading the spam email doesn't infect you. As long as you don't click on the link you have nothing to fear," continued Cluley. "But if you click on the link and visit the infected website then you are putting the safety of your data and computer at risk. Everyone should ensure they keep their anti-virus protection up-to-date and never follow links in unsolicited email messages."
Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against viruses and spam.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.