There is a new case of email scam that is currently propagating in Germany that uses the popularity of a German-based online news site, SPIEGEL ONLINE. It uses a spoofed sender’s address and some recent hot headlines in the body to increase its chance of deception. This scheme is more like the recent case of WORM_NUWAR where it harvests the top headlines in the CNN news site and uses them as subjects to its emails.
The embedded links point to a malicious website that contains obfuscated script that uses vulnerability in the Microsoft Data Access Components (MDAC) Function (MS06-014) and vulnerability in Microsoft XML Core Services (MS06-071) to download and execute malicious file to the victim’s system.
Social Engineering as have been, is like “the attackers’ choice” of infiltrating an individual or an organization because its effectiveness can turn the victims into a human botnet. The victims do as what the attacker wants them to. Consider this scenario, an attacker constructed a very convincing email pretending to be from a legitimate and prominent organization or from one of your ‘trusted’ friends email address and sends it to a list of email addresses. Let’s say 50% of the recipients are normal internet users and opened the emails and follow the links embedded to it, a human botnet has just been created… What is so sad about it is the fact that, it is a human nature to be curious on things so, a normal internet user will probably follow/click the link out of curiosity. It is ironic because the attacker might not include an explicit message to follow the link but there are still others that will do so in effect, an attacker has just got an easy way in to bypass a tightly secured firewall/AV/IDS/IPS of an organization, human vulnerability.
We are really in serious need of internet/security awareness because human vulnerability has no automatic download and install of updates and even though some vendors issue regular updates on their products, more product vulnerabilities are being exploited in the wild prior to the knowledge of the vendor.
Update(Jessie Paz, Fri, 02 Feb 2007 01:38:26 AM)
The malicious script that gets executed upon visiting the website was given the detection name JS_AGENT.LDC while the downloaded binaries (load.exe and load.jpg) were detected as TROJ_DLOADER.HMB since CPR 4.234.04.