Sensational news headlines proclaiming that Barack Obama is refusing to accept the U.S. Presidency and doesn't want the responsibility of saving a "sinking ship" are fake and part of a malicious spam campaign aimed at infecting computers with the Waledec botnet, say experts from the Marshal8e6 TRACE Labs.
The emails use subject lines such as "Amazing News" and contain text suggesting that Obama has abandoned the presidency or no longer wants to be president. The emails provide a simple link to a look-alike Obama campaign website. The site hosts links to downloadable malware presented to the user as legitimate news headlines. The domains for the fake websites include "greatobama" or "superobama".
"Barack Obama's inauguration is just one day away. Clearly, there is significant public interest in an event as historic and anticipated as this and the spammers are exploiting it. Spammers have used social engineering ploys like this time and time again to entice spam recipients into clicking on links without thinking. These headlines are designed to catch recipients by shocking them with the unbelievable," explained Phil Hay, senior threat analyst for the Marshal8e6 TRACE Labs.
This newest spam campaign from Waledec is an example of what security vendors call a "blended threat." The email itself is not dangerous but the web sites that are linked to are, and in this case, a user is taken to an official-looking but fake Obama campaign web site and enticed into clicking on a news link. This link prompts the user to download a file called "barakspeech.exe", or a similar variant. This file is, in reality, malware.
"The website that these spam messages link to looks official and convincing at first glance. Closer examination reveals numerous spelling and grammatical errors on the site which could alert wary email users that this is a trick. Unfortunately, we expect that many users who are lured to these sites will invariably click on the link and infect themselves," said Hay.
The Waledec botnet is new on the scene and widely considered by Internet security researchers to be the latest creation of the authors of the Storm botnet, which ceased spamming in September 2008. Waledec first appeared in December 2008, according to Marshal8e6, and continues the Storm botnet's modus operandi of distributing malware via URL links under the guise of sensational news headlines and fake greeting cards.
"We advise caution and suggest that email users avoid clicking on any news links relating to Obama's inauguration sent to them via email, especially if the email content seems sensational or unbelievable. If you do make the mistake of clicking on one of these links, avoid downloading anything. Also, keep your browser up-to-date to minimise the likelihood of automatic infection through browser vulnerabilities," advised Hay.
Share