Katrina News Email Scam

Date:09.01.2005

Threat Type: Malicious Website / Malicious Code

Websense Security Labs™ has received multiple reports of a new email scam, which attempts to lure users into visiting a malicious website. The message gives a brief news update on Hurricane Katrina and provides a link to the full news story. This website contains encoded JavaScript, which attempts to exploit two HTML Help vulnerabilities. Microsoft has addressed these vulnerabilities with http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx.

In the event that either of the exploits are successful, a Trojan downloader is placed on the workstation. The Trojan begins downloading a second malicious file, which is also a Trojan. The second Trojan has backdoor functionality that gives the attacker complete control of the workstation.

The technique, exploit, and Trojan used in this attack are nearly identical to the Iraqi News Email Scam that began circulating in early August.

The first website involved in the attack is hosted in Mexico; the second is in the United States. Both were online at the time of this alert.

Websense Security Labs™ has also observed several hundred new websites, which are requesting donations for Hurricane Katrina relief. Many of these sites are believed to be fraudulent. We strongly recommend you verify the authenticity of any charity before making a donation.

Sample email text:

Just before daybreak Tuesday, Katrina, now a tropical storm, was 35 miles northeast of Tupelo, Miss., moving north-northeast with winds of 50 mph.
Forecasters at the National Hurricane Center said the amount of rainfall has been adjusted downward Monday.
Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina killed as many as 80 people in his state and burst levees in Louisiana flooded New Orleans.

Read More.. <URL Removed>

Sample site screenshot: