14 DAY TRIAL // Security researchers from Symantec warn that malware distributors are piggybacking on the WikiLeaks news storm in order to spread their malicious programs.
At the beginning of last week, WikiLeaks started publishing leaked U.S. Department of State cables that give a clear insight into the country's foreign relations.
The organization is said to be in possession of over 250,000 diplomatic reports spanning years and originating from 274 U.S. embassies, which it plans to release gradually.
Interest into the information revealed in these cables is so high that cyber criminals couldn’t miss the chance to capitalize on it.
Rogue emails intercepted by Symantec, which purport to come from a [email protected] email address, are using explosive news headlines to trick users into clicking on malicious links.
“IRAN Nuclear BOMB!” one such communication is titled. The contained message looks unrelated and reads “OBAMA is an IMPOSTOR!”
This kind of confusing and incomplete message is meant to get recipients curious enough for them to click on the included link.
If they do that, they get served a malware downloader in the form of an unsigned Java applet. Allowing the applet to run is a very bad idea, because its purpose is to download a worm known as W32.Spyrat.
“W32.Spyrat opens a backdoor using a predetermined port and IP address, allowing an attacker to perform the following actions on the compromised computer: eead, write, and execute files; steal stored passwords; issue commands; activate and view a webcam, if present; log keystrokes; create an HTTP proxy to route traffic through the compromised computer,” Symantec researcher Samil Patil explains.
The fact that WikiLeaks has recently lost control over wikileaks.org and is now using over 1,000 backup mirrors hosted on different domains might lend credibility to links distributed in such attacks.
Users should exercise increased caution when faced with links in emails, even when they appear to come from trusted sources. They are also advised to get their news by directly visiting the websites they trust.