Dirty bomb news report leads to PC infection

Dmitry from our Vancouver offices has covered this in some detail on the SophosLabs blog, but I thought it was worth sharing with a wider audience.

Hackers are spamming out emails posing as breaking news stories about a bomb blast in your city, in the hope that you will follow the link and infect yourself with malware.

The emails, which have subject lines like “Why did it happen in your city?”, “Take Care!”, “Are you and your friends in good health?”, claim that 18 people have been killed in an explosion and link to what appears to be a Reuters-related news website.

Malicious email containing fake news report

Sign up to our free newsletter.
Security news, advice, and tips.

However, clicking on the link takes you to a dangerous website whose only intention is to infect your Windows PC with malicious code. Clicking on what appears to be a video about the breaking news story actually leads to a malicious download.

Part of the text of the website designed to fool the unwary into believing the story to be true, reads as follows:

At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Amsterdam. Authorities suggested that the explosion was caused by a "dirty" bomb. Police said the bomb was detonated from close by using electic cables. "It was awful" said the eyewitness about blast that he heard from his shop. "It made the floor shake. So many people were running"

You’ll notice that the hackers did not do a brilliant job in their wording – which might ring alarm bells in some people. But I wonder how many others would be blind to such a clue, and just click on the video regardless?

What is particular clever about the website is not that it pretends to be connected with Reuters (that’s trivial for anyone to do as all you need is a copy of the Reuters logo and some generic news report text), but that it attempts to do a GEO-IP lookup on your whereabouts and customises the story to appear as though it relates to your location.

Malicious website posing as a breaking news story

So, for example, if you visit the webpage from London it is likely to claim that the bomb blast has occurred there.

Sophos detects the malware as Mal/WaledPak-E, but users of other security products might be wise to check that their own defences have been updated.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.