A new email-based attack was reported this month based on a new variant of an older worm that tempts potential victims into clicking on purported documents or sex movies. When the malware executes, it tries to disable the victim’s security software and propagates the malicious message to contacts in the user’s address book.
What’s interesting about this attack is that it is linked to a group , Brigades of Tariq ibnZiyad, a self-proclaimed “cyber-jihad” organization that aims to wage cyber war against the U.S. Army and similar institutions.
The worm downloads a Trojan that’s set to connect to a server of a similar name of the organization. While the actual attack was simple, it was effective because it took a slightly different spin on an old trick. The payload wasn’t the suspicious .exe or .ZIP file, but an HTML file, according to Luis Chapetti, lead security analyst at Barracuda Networks.
“This outbreak was actually kind of simple,” Chapetti said. “All it did was spam itself out. They could have just as easily added a password stealer to the download list and, with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time.” This brings up the question, is this attack a trial run for a more nefarious attack in the future? And is the goal to simply disrupt a U.S. government institution’s network in the name of religion, or is this really just another criminal act, with financial gain as the ultimate objective?
And speaking of financial gain, researchers at the University of California at Santa Barbara published a report that exposed details about how the infamous Torpig/Sinowal/Anserin botnet operates, its makeup, who it typically victimizes, and just what type of financial data it’s stealing.
Torpig has been a hot subject for researchers for some time: RSA revealed that the so-called Sinowal Trojan, a.k.a. Torpig and Mebroot, had been stealing data for about three years, and had successfully swiped 300,000 online bank accounts, credit and debit card accounts, and an unknown number of email and FTP accounts. The botnet’s malware “may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters,” researchers say.
The researchers counted 1,660 different stolen credit and debit card accounts, 49 percent of which belonged to victims in the U.S., 12 percent from Italy, and 8 percent from Spain. Of the cards, 1,056 were Visa cards; 447, MasterCard; 81, American Express; 36, Maestro; and 24, Discover. In one case, the botnet stole 30 credit card numbers from a single victim, who turned out to be an agent for an at-home distributed call center.
Bottom line? These continuing attacks are a significant reminder to all users to not run anything received via email if the source is not trusted and the content unknown. And to keep your browser software updated with the latest version to protect against drive-by downloads.