Cybercriminals Exploit Barack Obama Victory: Report

Websense First to Discover Malicious Email Campaign with Multiple Variations; Websense Web Security and Email Security Customers Are Protected
Mumbai, November 6, 2008 — Websense, Inc. (NASDAQ: WBSN), a global leader in Web, data and email security solutions, reported today that the Websense® Security Labs™ ThreatSeeker™ Network has discovered cybercriminals seeking to capitalize on the results of the 2008 US presidential election with a mass malicious email campaign.
Attackers are sending several variations of malicious email lures throughout the world directing recipients to click on a link to view a video showing an interview with the advisors to the U.S. President-elect Barack Obama or view a portion of his acceptance speech. Clicking on the link directs users to a malicious Web site that infects them with information-stealing malware. In some variations of the email attack cybercriminals are using well-known publishing names such as Time Magazine and La República (Peru) in the email subject line to encourage users to click on the links. Websense Web security and email security customers are protected from these attacks.
“The U.S. election has been closely watched by people worldwide making it an ideal topic to use as a lure by cybercriminals seeking to steal information from unsuspecting victims,” said Dan Hubbard, chief technology officer at Websense. “We are seeing many variations of this attack and the numbers of emails are growing by the thousands by the hour.”
Some of the email attacks contain links to a file called ‘BarackObama.exe’ which is hosted on a compromised travel site. The file is an information-stealing Trojan Horse downloader. Upon execution, files called “system.exe” and “firewall.exe” are dropped into the victims’ system directory and a phishing kit is unpacked locally, dropping files bound to startup. The ‘hosts’ file is also modified.
In another variation, victims that click on the link go to a purposely registered domain which advises them to install the latest version of Adobe Flash player before the video can be viewed. The malicious Web site links to a file called ‘adobe_flash.exe’ which is actually a Trojan Horse packed with ASPack. Upon execution, a RootKit is installed on the compromised machine, and the victim’s data is sent to multiple command and control servers.
All Websense solutions are powered by the Websense ThreatSeeker™ Network which continuously monitors the Internet for changes and emerging threats like the current attack. The resulting intelligence is immediately incorporated into the company’s Web, data and email security solutions.   As a result, Websense solutions adapt to the rapidly changing Internet threat environment at speeds not possible by traditional security solutions.
Organizations interesting in free evaluations of Websense solutions should visit: http://www.websense.com/evaluations/.