Feb1
9:44 am (UTC-7)   |   by Jessie Paz (Advanced Threats Researcher)

There is a new case of email scam that is currently propagating in Germany that uses the popularity of a German-based online news site, SPIEGEL ONLINE. It uses a spoofed sender’s address and some recent hot headlines in the body to increase its chance of deception. This scheme is more like the recent case of WORM_NUWAR where it harvests the top headlines in the CNN news site and uses them as subjects to its emails.


The embedded links point to a malicious website that contains obfuscated script that uses vulnerability in the Microsoft Data Access Components (MDAC) Function (MS06-014) and vulnerability in Microsoft XML Core Services (MS06-071) to download and execute malicious file to the victim’s system.


Social Engineering as have been, is like “the attackers’ choice” of infiltrating an individual or an organization because its effectiveness can turn the victims into a human botnet. The victims do as what the attacker wants them to. Consider this scenario, an attacker constructed a very convincing email pretending to be from a legitimate and prominent organization or from one of your ‘trusted’ friends email address and sends it to a list of email addresses. Let’s say 50% of the recipients are normal internet users and opened the emails and follow the links embedded to it, a human botnet has just been created… What is so sad about it is the fact that, it is a human nature to be curious on things so, a normal internet user will probably follow/click the link out of curiosity. It is ironic because the attacker might not include an explicit message to follow the link but there are still others that will do so in effect, an attacker has just got an easy way in to bypass a tightly secured firewall/AV/IDS/IPS of an organization, human vulnerability.


We are really in serious need of internet/security awareness because human vulnerability has no automatic download and install of updates and even though some vendors issue regular updates on their products, more product vulnerabilities are being exploited in the wild prior to the knowledge of the vendor.


Update(Jessie Paz, Fri, 02 Feb 2007 01:38:26 AM)


Note:
The malicious script that gets executed upon visiting the website was given the detection name JS_AGENT.LDC while the downloaded binaries (load.exe and load.jpg) were detected as TROJ_DLOADER.HMB since CPR 4.234.04.


If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Thursday, February 1st, 2007 at 9:44 am and is filed under Uncategorized . Responses are closed, but you can trackback from your own site.



No Responses to “Riding with Spiegel – another case of Social Engineering”

Trackbacks

  1. engineering » Blog Archive » Riding with Spiegel - another case of Social Engineering
  2. engineering » Blog Archive » Pascal Meunier Presents on Social Engineering
  3. engineering » Blog Archive » Social Engineering at its Best
  4. engineering » Blog Archive » Hoisted from the Archives: Information Technology and the Future …
  5. engineering » Blog Archive » Is social engineering always used to commit fraud?

Faked BKA eMails are being spammed
Trend Micro Finds More Windows Mobile Flaws


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice