Spammers and other cyber-scammers often cash in on breaking news and topical information to trick users into downloading malware or clicking on suspicious links. The latest scam targets people interested in the latest WikiLeaks exposures.
One e-mail scam, intercepted by the researchers at Symantec, has “IRAN Nuclear BOMB” in the subject line and a spoofed wikileaks.org address in the From field. The main message is typically short, and is accompanied by a link.
Clicking on the URL downloads a Wikileaks.jar file that contains a separate downloader script, which links up with yet another site and downloads more malware. Symantec identified it as W32.Spyrat.
The e-mail message pretends to be from WikiLeaks, and the application’s “publisher” when the file is download claims the same thing: “(NOT VERIFIED) WikiLeaks Co”
W32.Spyrat creates a backdoor on the downloaded machine and lets the scammer perform various activities, including creating and reading files, executing applications and scripts, capturing saved passwords, turning on and capturing images from the webcam, and logging keystrokes. If that list is not daunting enough, the Spyrat can also open an HTTP-proxy to route Web traffic through the computer, essentially turning the hijacked PC into a zombie, according to Symantec.
Graham Cluley of Sophos has a handy rule when dealing with spam and other Web-based scams. “Use your common sense,” he says. In this case, WikiLeaks already has a platform that works just fine to distribute information, so there is no reason for the site to suddenly start e-mailing them, right?
Right. Hit that delete button and let’s move on.