It’s not all that surprising, as current events have long been a staple among the lures employed by malware distributors seeking to trick people into clicking on their attack-laden URLs or e-mail attachments, but the latest run of threats advertised under the guise of a fake news story about U.S. troops invading Iran would seem likely to draw a fair number of eyeballs.
With tensions between the two nations simmering over Iran’s reported nuclear weapons development programs, researchers at Sophos intercepted the e-mail campaign and reported on it in a blog posting July 9, highlighting an attack that encourages users to click on a related video file that holds a hidden Trojan malware infection.
The attack uses several different variations on the theme in spam e-mails titled “Third World War has begun,” “20000 US Soldiers in Iran,” and “U.S. Army crossed Iran’s borders.” Sophos researchers said the link leads to a site with a video player showing a picture of a mushroom cloud with the following text beneath:
“Just now U.S. Army’s Delta Force and U.S. Air Force have invaded Iran. Approximately 20,000 soldiers crossed the border into Iran and broke down the Iran’s Army resistance. The video made by U.S. soldier was made today morning. Click on the video to see the first minutes of the beginning of World War III. God save us.”
The site advertises the video as real footage of U.S. soldiers engaged in fighting in Iran.
Behind the video link is a Trojan attack that Sophos has identified as Troj/Tibs-UO as well as malicious JavaScript code hidden on the Web site dubbed Mal/ObfJS-AY.
To run any risk of infection, the researchers said a user would need to click on the video player links that are being offered.
“Receiving or reading the e-mails themselves does not mean you’re infected, but visiting the link contained in them, or trying to watch the video, is definitely a bad idea,” longtime Sophos malware expert Graham Cluley wrote in the blog. “Once your computer is under the control of hackers they could steal your personal information to commit identity theft, or use your PC to spam out junk mail to millions of people around the world.”
Cluley said just as malware attackers have long sought to spread the Storm Worm/Trojan using headlines built around popular news items, the new attack illustrates the growing level of social engineering being utilized in many threat campaigns.
“Hackers are taking advantage of the fact that many people today get their fix for breaking news via the Internet,” Cluley said. “People, especially those with loved ones in the Middle East, may rush to watch the video without engaging their common sense.”
The AV company pointed out that this is not the first time that news about rising tensions between Iran and the West has been utilized by malware gangs.
A spam campaign built around a theme of Iran’s nuclear programs first surfaced in 2005. In 2004, a worm was circulated using propaganda about European nations’ lack of respect for Iran based on their involvement in the Iraq War.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
