Websense Security Labs: Alert Reuters
March 2009 by Websense
Websense Security Labs ThreatSeekerTM Network has detected yet another new Waledac campaign theme in the wild. The new variant uses a Reuters theme as a social engineering mechanism to report a bogus news item relating to a ’bomb explosion’.
The malicious Web sites in the current attack are socially engineered to report the geolocation of the incident corresponding to the user’s IP address. They encourage users to view a video supposedly related to the news report. When users click on the video or the link below the video, they are advised to download the latest version of Flash Player. This leads to the download of Waledac variants.
The theme includes legitimate links corresponding to Wikipedia and Google which are presented in a ’Related Links’ section of the attack Web sites. Those legitimate links are used to target unsuspecting users in order to increase chances of success with the attack.
Example malicious emails used in campaign:
Example of Web site used in campaign:
Screenshot of the malicious Web site’s source:
Websense® Messaging and Websense Web Security customers are protected against this attack.