Dirty bomb mail leads to malware infection
Spam emails are being sent out that pose as supposed breaking news about a dirty bomb attack in a recipients city, while providing a link to a 'news' website containing malware. According to Graham Cluley of Sophos, the subject lines of the spam emails include "Why did it happen in your city?", "Take Care!" and "Are you and your friends in good health?" The emails claim that several people have been killed and links recipients to what looks like "a Reuters-related news website."
Users who receive the e-mail and click on the link it contains are sent to a site that claims to be from Reuters and uses a GEO-IP lookup to see where the recipient is located. The site then customises itself to make the fraudulent story appear as if it's news relating to the users current location. The first line of the site reads, "Powerful explosion burst in (your city name here) this morning." Users who visit the web page in London, for example, will see the "localised" site claim that a bomb blast has occurred there.
The site prompts users to download the latest version of Flash Player to view a supposed Reuters video of the explosion. The download, however, is not an updated version of Flash, but rather malware. This instance appears to be the first time that a malware site is using a GEO-IP lookup to craft a site to be aware of a users geographic location in order to lure them into downloading. It does this by looking up the recipients IP address, which will typically provide the users correct city and is usually more than enough to make the scam appear convincing to some people.
- Waled explosion in your city!, a report from Sophos.