Fake Obama sites prey on inauguration by distributing trojan

Share this article:
Updated Tuesday, Jan. 20, 2008 at 2:19 p.m. EST

Barack Obama was sworn in as president on Tuesday, but a new malware campaign wants you to believe otherwise.

Users are being lured to a number of malicious sites that look like Obama's official homepage but contain bogus news stories such as “Barack Obama refused to be the president of the United States of America” and “There is no president in the USA anymore.”

When the user clicks on one of the links, the malware -- identified as the Waledac trojan -- begins to download the necessary files to host the attack on the victim's computer, Ryan Sherstobitoff, chief corporate evangelist for Panda Security. told SCMagazineUS.com on Tuesday.

The goal of this exploit to build a bigger botnet, Fred Touchette, senior security analyst at anti-spam firm AppRiver, told SCMagazineUS.com.

“It could be pretty dangerous," he said. "The site is an exact mirror of the official Obama-Biden site."

Users are being lured to the site through a spam campaign that has been crafted to contain legitimate-looking news stories about the Obama inauguration, researchers said. The messages aim to lure users into clicking a link contained in the message, which sends users to the fake site.

Spammers and malware authors use any significant social event to entice users to follow links sent out through email, Ryan Barnett, director of application security research for Breach Security told SCMagazineUS.com Tuesday.

"In this case, any fake headlines about the Inauguration will be a hot lure right now," Barnett said.

There are a couple of steps needed to become infected — users must click a link in their email, click on one of the links on the site, download the malicious executable and execute it, Touchette said

The attack appears to originate from China and there are about 75 domain names associated with the Waledac trojan, according to a PandaLabs blog post. Online watchdog, the Shadowserver Foundation, has posted a full list of the domains that are associated with the malware and encourages users to block or avoid them.
Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.