Criminals are trying to trick users into downloading malware by luring them to a website that reports a hoax ‘breaking news' story of a bomb explosion cleverly tailored to their location.
Picked up in different forms by the spam traps of several security vendors, the attack is able to work out the approximate location of the viewer from the visitor's IP address, serving one from a range of news localised versions of almost identical stories.
According to Sophos and Websense , an email claiming that 18 people have been killed in an explosion starts with the subject line, "Why did it happen in your city?", "Take Care!". A link leads to what appears to be a Reuters news story on the bomb, complete with video, which turns out to need a special CODEC. Downloading this, starts an infection with Waledac (identified as WaledPak-E by Sophos).
"At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Amsterdam. Authorities suggested that the explosion was caused by a "dirty" bomb. Police said the bomb was detonated from close by using electic cables. "It was awful" said the eyewitness about blast that he heard from his shop. "It made the floor shake. So many people were running," runs the fictitious story.
Using a location lookup, the website is able to serve any one from a range of major cities close to the victim, including London, Amsterdam, Vancouver and Sydney, which might give the site a degree of plausibility for some people. There also appear to be several versions of the basic story, one of which claims the attack used a ‘dirty bomb', and others which make no mention of such a scenario.
Given how easy it is to identify non-proxied PCs from the IP address, it's surprising the technique has not been used more often in the past.
"You'll notice that the hackers did not do a brilliant job in their wording - which might ring alarm bells in some people. But I wonder how many others would be blind to such a clue, and just click on the video regardless?," said Graham Cluley of Sophos.