"Sex Scandal" Spam Campaign Targeting US Presidential Election
Threat Type: Malicious Web Site / Malicious Code
Websense® Security Labs™ ThreatSeeker™ Network has discovered an emerging email campaign which uses the US presidential election as a social engineering mechanism to install information-stealing code on a victim's machine. With less than 2 months before the start of the election, emails are circulating with fake news of a sex scandal affecting one of the candidates. Recipients of the email are encouraged to view a video supposedly involving the Democratic candidate Barack Obama. Users who click the link are shown a pornographic video taken from hxxp://homemade*snip*.com/. While the video plays for 14 seconds, malicious applications are installed on the victim's machine.
Screenshot of example email:
The email encourages users to download and run obama-*snip*.exe The MD5 of the Trojan Dropper is 26B861DF715549C537C28E4D60D8D0B7.
Screenshot of pornographic video ran through Windows Media Player:
The dropper installs 809.exe in the user's Temporary Internet Files folder. Also a Browser Helper Object (BHO) named Siemens32.dll is registered. This is an information-stealing application that posts data to a compromised Finnish travel site, hxxp://*snip*-hotel.com/
Screenshot of code locations pointing to compromised Web site:
Websense customers are proactively protected against this latest attack as our ThreatSeeker Network identified a malicious IRS scam hosted on the same domain only last week:
Websense Messaging and Websense Web Security customers are protected against this attack.