September 08, 2007Yet More Stormy Weather
These guys are damned good social engineers. They've done the "you're a member of a neat club" trick, then the YouTube lure, and last weekend used the Labor Day holiday (in the U.S.) as bait. Being a new weekend and all, the newest one I've seen goes after Americans' insatiable appetite for anything football. Here's what arrives in the email:
Subject: Football Fan Essentials
Season is open.... and we do mean FOOTBALL!
Know all the games, what time, what channel and the stats.
Keep on top of all the games with our online game tracker:
The page at the end of that URL has a bunch of National Football League data about the pro games playing tomorrow:
The links in the table go to the real football team sites. But the lure is the "Game Tracker" button in the upper right. I'll bet there will be lots of fans who download this guy. Unfortunately, this particular download is malware through and through. Even more unfortunately, a lot of major antivirus products do not yet detect this program. So, if you think you're safe by having, say, McAfee or Symantec AV running as a safety net, forget it (until they update their malware definitions).
Oh, and lest you think that all of this stuff is going on via hijacked computers in dark dungeons located in rarefied regions of the world, the IP address of the message's link I received belongs to Comcast in Chicago. It's more of bots using bots to bot the bot-bot.
So, if you fall for this trick, while you're enjoying the game in front of the TV, your PC will be doing something like "the wave," except it will be mooning you from across the room.
UPDATE (15Sep2007) -- Although the volume has subsided a bit, more recent web sites using this NFL ruse have all links pointing to the malware download. It must have been a tough call for the guy(s) behind this one. On the one hand, having so many links point to real NFL team web sites (if a visitor bothers to check the browser status bar while rolling over the link) gives the page more credibility; on the other hand, having all links start the download will more likely garner a greater number of downloads from those visitors who aren't suspicious (and are more likely running unpatched/unprotected machines).Posted on September 08, 2007 at 12:04 PM