Hackers exploit Libyan unrest to target human rights groups

Security experts are warning of a new targeted email-based hacking attack exploiting the current unrest in Libya to infect the victim's machine and enable remote code execution.

Symantec.cloud's MessageLabs Intelligence research team spotted the suspicious emails earlier this week, noting that they were sent to 27 individuals at six organisations involved in promoting human rights or supporting humanitarian aid, or acting as think-tanks for foreign affairs and economic development.

Symantec.cloud anti-virus operations engineer Jo Hurcombe explained in a blog post that the emails were sent from an IP address in Romania, and try to trick the recipient into thinking they come from someone internal to their organisation.

"In most cases, the email headers were spoofed to appear to come from the same domain as the recipient, a familiar social engineering technique used in so-called 'spear phishing' attacks," she wrote.

"The email itself is very simple and is designed to appear as part of a discussion about the economic stakes in Libya's current crisis, the sender claiming to agree with points raised in the attached document."

The document in question has been crafted to look like an Office document file with a .doc extension, but is actually an RTF formatted document infected with an exploit for an RFT parsing vulnerability known as 'CVE-2010-3333: RTF Stack Buffer Overflow Vulnerability'.

The exploit allows remote attackers to execute arbitrary code on the infected computer via crafted RTF data in the document, Hurcombe explained.

The discovery comes in the same week as scammers in Ghana were found to be sending 419 emails which also seek to exploit the unrest in Libya to con the victim out of cash.