Dirty bomb news report leads to malware infection

March 16, 2009 Sophos Press Release

IT security and control firm Sophos is warning computer users around the world to be on their guard against a widespread, malicious spam campaign that poses as breaking news stories about a bomb blast in your city.

Samples intercepted by SophosLabs claim that 18 people have been killed in an explosion and link to a video news story on a supposedly Reuters-related website. In fact, computer users that click on the link will not find more information on this breaking news story, but will actually be taken to a website that is designed to infect their Windows PC with malicious code.

However, Sophos warns that many computer users may not immediately notice the danger as the website attempts to identify users' whereabouts and customises the story to appear as though it relates to their location.

"This is a clever piece of social engineering and shows the lengths that cybercriminals will go to in order to trick more potential victims," said Graham Cluley, senior technology consultant at Sophos. "If you visit the webpage from Southampton, Bristol or London it is likely to claim that the bomb blast has occurred there. There are the usual clues that the observant computer user will recognise as spam - poor spelling and grammar being the key one - but the danger is that other less wary users won't notice this and will become engrossed in the story without realising that their PC is being infected as they read."

The emails have subject lines including "Why did it happen in your city?", "Take Care!" and "Are you and your friends in good health?", and part of the website text reads as follows:

'At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Amsterdam. Authorities suggested that the explosion was caused by a "dirty" bomb. Police said the bomb was detonated from close by using electic cables. "It was awful" said the eyewitness about blast that he heard from his shop. "It made the floor shake. So many people were running'

Malicious website posing as a breaking news story

More information on the threat can be found on Graham Cluley's blog.