Fourth of July malware attack targets returning American holiday makers, Sophos reports
July 2008 by Sophos
Sophos is warning computer users of a widespread email spam campaign that poses as a video of American Independence Day fireworks, but is really an attempt to lure innocent victims into having their computers hacked. The attack is the latest from the gang behind the Dorf malware, also known as the Storm worm.
Subject lines used in emails sent by the hackers include:
– Amazing Independence Day salute
– America the Beautiful
– Celebrating Fourth of July
– Fabulous Independence Day firework
– God bless America
– Happy Fourth of July
Samples intercepted by Sophos show that inside each email is a simple phrase such as "Amazing Independence Day salute" or "The best firework you’ve ever seen", followed by a web link. Visiting the IP address takes the unsuspecting user to a malicious webpage, which disguises itself as a video player showing a firework display, with the following message:
"Colourful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it."
However, clicking on the ’video’ prompts the computer to attempt to download a file called ’fireworks.exe’ onto Windows PCs, which Sophos proactively intercepts as the Troj/Dorf-BP Trojan horse.
"Everyone loves fireworks, but you’re not going to be feeling in the mood for celebrations if this malware infects your Windows PC, turning it into a part of a botnet for criminals to commit identity theft and launch spam and malware campaigns," said Graham Cluley, senior technology consultant at Sophos. "Americans are not the only ones at risk as they open their email this morning - people around the world with US-based friends may be tempted to follow the link and watch the video. Many Americans may be taking the day off today to celebrate their country’s independence, and return to work on Monday morning not realising what may be waiting for them in their inbox."
Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution to defend against malware, spyware, hackers and spam.
"The gang behind the Dorf family of attacks, also known as the Storm worm, has targeted other holidays in the past - Christmas, St Valentine’s Day, Halloween.. the list goes on," continued Cluley. "The reason that they do this is very simple - it works. People fall for tricks like this all the time. Companies and individuals need to protect themselves with up-to-date anti-virus protection and learn not to be caught out by this kind of simple confidence trick again."