Wednesday, March 18, 2009

Waledac's new geo-sensitive social engineering

Waledac spammers are using yet another social engineering tactic to spread their malware. As usual, the spam mails contain link to dubious websites. One of such spam mail can be seen in the following screenshot:


These websites look like a Reuters news webpage reporting "powerful bomb blasts" near your area/city, with a video clip embedded in it. To see the video, the site persuades you to download a fake Flash Player.

These fake websites are geo-sensitive and they figure out the place/city of a visitor (based on visitor's IP address) and report it as the location of "bomb blasts".  This technique is called geo-targeting. An innocuous PC user may fall for this trick by thinking that bomb blasts have really occurred in his/her area and download the fake Flash Player! Following screenshots show the location sensitive website content (check the place where blasts are reported; they change based on the visitor's gepgraphical location):



As of now, fake webpage is located at yyr.breakingkingnews.com (81.241.128.178) (whois).

VirusTotal results of the malware hosted at the above site can be found here and here. An automated analysis by ThreatExpert can be found here.

0 Comments:

Post a Comment

<< Home