Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread spam campaign that poses as a breaking news report about the Hurricane Katrina disaster affecting the southern states of the USA. The campaign tries to trick innocent computer users into visiting a bogus website which tries to infect their PCs with malware.
The email pretends to be a breaking news report.
Subject lines used in the malicious emails include, but are not limited to, the following:
Re: g8 Tropical storm flooded New Orleans.
Re: g7 80 percent of our city underwater.
Re: q1 Katrina killed as many as 80 people.
Sophos experts believe that the people behind the email attack are deliberately adding random characters into the subject lines in an attempt to avoid detection by rudimentary anti-spam filters.
The body of the emails can vary, but all relate to the disaster hitting New Orleans and elsewhere across the southern American states. A typical example reads as follows:
Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina killed as many as 80 people in his state and burst levees in Louisiana flooded New Orleans.
Just before daybreak Tuesday, Katrina, now a tropical storm, was 35 miles northeast of Tupelo, Miss., moving north-northeast with winds of 50 mph. Forecasters at the National Hurricane Center said the amount of rainfall has been adjusted downward Monday.
"Receiving or reading the emails themselves does not mean you are infected," said Graham Cluley, senior technology consultant for Sophos. "However, if users click on the link contained inside the email they will be taken to a malicious website which will try and infect their computer. Once infected the computer is under the control of remote criminal hackers who can use it to spy, steal or cause disruption."
Windows users who follow the web link visit a website which pretends to be a fuller version of the news story, but exploits vulnerabilities in Microsoft's Internet Explorer software to install a variety of malicious code including Troj/Cgab-A, Troj/Borobot-P, Troj/Borobot-Q, Troj/Borodldr-H, and Troj/Inor-R. The malicious attack is designed to allow remote hackers to gain unauthorized access to the victim's computer.
Clicking on the link in the email takes users to a website which claims to contain a news story about the disaster, but is really designed to secretly install malicious code onto the computers of unsuspecting users.
"The hurricane is a dreadful natural disaster, and it's sickening to think that hackers are prepared to exploit the horrendous situation in an attempt to break into computers for the purposes of spamming, extortion and theft," continued Cluley. "Everyone should ensure they have defenses in place to properly protect against the very latest malware attacks."
Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against viruses and spam.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.