Commtouch Labs has run across a brilliant blended threat campaign organized by a body pretending to be the Centers for Disease Control. The attack, originating from Chinese botnets, began on the morning (EST) of 1 December 2009 and is still going strong. By the time of this publication, the attack had been flagged as “massive” by Commtouch Labs.
The email looks like this:
Note the “From” address ends in .gov; spoofing the address in this way makes the message appear to be from a government body. The .gov ending may trick some traditional spam filters as well as tricking the unknowing recipient of such a message. With everyone in a panic about Swine Flu lately, the message is definitely trying to hit a soft spot. Cyber criminals tend to use social engineering methods to distract us from the dangers that lie within the links and files.
The body of the message describes a Vaccination Profile program to lure readers to a site that was laden with malware. A recipient who clicked on “create personal profile” at the bottom of the email was directed to this link:
Including cdc.gov in the URL is designed to trick users into thinking that CDC is the domain, but the actual domain name is included AFTER the .gov, as pictured above. We blurred out the actual domain here, but it comes immediately after the .gov in the address.
The second file, sNode.php, also contains obfuscated code:
This file is also malicious.
Unfortunately, online crooks will use any tactic they can think of to bypass spam and virus filters. Commtouch RPD technology is based on massive pattern analysis, and thus blocked this blended threat in most of our partner implementations. But for those who rely on traditional spam filtering, the outcome may not have been so sweet.
If an email slips into your inbox, be sure to check link domains – in their entirety – before clicking. Don’t assume that if you see a .gov in the middle that it’s actually from a legitimate source. If you are unsure about the origins of an email, try to verify the details before you fall victim to the next great malware scheme. And never click on links or download files from unverified sources.
For the REAL Centers of Disease Control and everything you ever wanted to know about Swine Flu, visit the official CDC Swine Flu information page.