Cyber-criminals unleash spam Storm

Security experts have warned of an outbreak of malicious spam emails that use log-in account confirmation details as a hook to get users to visit an infected website.

The Marshal TRACE threat research team said that the emails appear to come from a legitimate organisation and provide recipients with temporary log-in confirmation details for a website.

The spam uses text like 'for security purposes, please login and change the temporary Login ID and Password', and include a link to an IP address which is in fact a website infected with the Storm Trojan.

The messages appear to come from the technical support departments of a range of organisations with names designed to generate interest among the public, such as 'Joke-A-Day' and 'Web Players'. The links appear as a numerical IP address rather than a URL.

"We are seeing significant volumes of 'confirmation spam' hitting inboxes," said Bradley Anstis, director of product management at Marshal.

"This outbreak is the latest in a string of social engineering tactics used by the same individuals responsible for the Storm Trojan to propagate their botnet.

"These criminals are clever and highly adaptive. This is simply their latest attempt to fool unsuspecting email users into infecting themselves."

The Storm Trojan first appeared in January 2007. It quickly achieved success and notoriety by using the guise of current affairs headlines to fool unsuspecting recipients into clicking on a link which led to the Trojan.

Examples of the headlines used included 'Saddam Hussein alive!' and 'Chinese missile shot down by USA aircraft'.

Since then the criminals behind the Trojan have used greeting cards to infect computers with subjects ranging from the 4th of July to Thank You cards.

"The 'confirmation spam' outbreak has been launched by the same group that launched the Hot Pictures spam campaign earlier in the week," said Anstis.

"Previously these spam campaigns, like the greeting card campaign, would last for weeks at a time. Now, spammers are modifying or launching new spam campaigns almost daily.

"Our advice to anyone who receives a message like this from a person they do not know, or have not heard from for a long time, is to delete it without opening it.

"Certainly, do not click on the link in the message and do not click 'OK' if it asks to download a file."

Further details and advice on the Storm Trojan can be found on Marshal's TRACE Center website.