Ideas on a world financial crisis seem to be on everyone’s minds these days, even malware authors’. In a recent spamming operation, the Storm gang takes advantage of users’ fears of global economic problems.
Localizing the attack to citizens of the still hypothetical North American Currency Union, these spammed email messages promise more information on the present world financial situation as well as a supposed glimpse into plans regarding the implementation of amero – the currency of the said union.
Here’s a screenshot of an email:
The link leads users to the following site, which in turn leads to a Storm variant, detected by Trend Micro as WORM_ZHELATI.AHH:
Neither amero nor the North American Currency Union exists of course, as these remain ideas only, at least for today. Conspiracy theories abound, however; there are rumors about secret pacts between the United States, Canada, and Mexico, but these remain unsubstantiated. Last year, there were reports of the United States Treasury issuing amero coins, but this was later proven to be untrue.
Other than using these rumors to lure curious online users, the other and more effective social engineering technique used in this attack is the reference to the financial crisis, which looks like a genuine concern for all, especially now.
We strongly advise users not to click links in email messages. Accurate news always comes from reliable sources.
Interestingly, this is now the second instance of Amero and malware together. Online users, and this time even those outside North America, would remember Julie Amero, a substitute grade school teacher, who’s been a subject of international media coverage. Amero was convicted of impaired morals when a computer she was using when teaching began showing pornographic images. Amero was granted new trial, her defense centered on claims that malware caused the incident.
Update as of 22 July 2008, 4PM PST
An email sample submitted by Advanced Threat Researcher Paul Ferguson, was quite similar to the previous reported Amero spam, only with a different IP address. But upon further analysis by our threat researchers, the message was verified to be a spam sample of a new WORM_NUWAR variant. The link in the email message leads to the file amero.exe, that will be detected as WORM_NUWAR.ATK. Below is a screenshot of the said message: