NetTraveler using PRISM phishing lures
Recent email found by blogger Brandon Dixon indicates that the latest spear-phishing campaigns from the group behind NetTraveler are using the PRISM controversy to lure victims into reading the booby-trapped email. The mail, which tells the tale of the disclosure of PRISM and other NSA programmes, offers a 2.5MB file – "Monitored List1.doc" – and implies that this contains a list of those monitored by the NSA. The file, of course, actually contains malware that exploits an older vulnerability CVE-2012-0158 to infect the computer.
Dixon says that the mail was sent to a Yahoo account associated with the Regional Tibet Youth Congress in Mundgod, India. His cursory analysis of the malware connects the phishing mail with the people behind the NetTraveler campaign. NetTraveler was exposed earlier this month by Kaspersky as a targeted spyware and phishing ring, which has apparently been in operation since 2004. With at least 350 victims in 40 countries, the ring targeted individuals from private and public institutions, government agencies, research organisations and the defence industry as well as Tibetan activists. In this case the email was spoofed to make the sender appear to be Jill Kelley, who found herself at the centre of the Petraeus scandal.