According to Trend Micro analysis, 24% of the manually detected malicious URLs during Valentines season contained the string love, or references to it.
Even mobile phone users are not spared this Valentine’s.
Perhaps targeting on the romantic side of computer users, spammers have gone full steam on Valentine’s Day. Trend Micro, a global leader in Internet content security, has found a rise in spam campaigns using Valentine’s Day as a theme in creating malicious codes. Whether this is attributable to the romantic nature of humanity in general or to love’s overwhelming effect on everyone, the spammers are taking advantage of this and leave love messages, or traces of it in their codes.
Love as a social engineering technique is most popular in the spamming operations of the botnet giant Storm. Known for taking advantage of every occasion and holiday known to man, Storm sends Christmas ecards on Christmas, New Year ecards on or before every first of January, and love ecards during the Valentine’s season. The intent is to convert more zombie PCs for the bot, which would then be used for future cybercriminal activities – spamming, scamming, information theft, DDOS attacks. The first Storm malware to send love greetings was WORM_NUWAR.CQ, which was earlier used to send messages about nuclear wars. In 2007, WORM_NUWAR.CQ made a 180-degree turn from its family’s signature technique by replacing war with love during the Valentine’s Day season. Explains Mr. Amit Nath, Country Manager – India & SAARC, Trend Micro, “In ‘Storm technique’ of spam, once infected, the computer becomes part of the ever-growing Waledac botnet which makes it vulnerable to being abused for stealing private data.”
Trend Micro recently observed email messages flooding inboxes weeks before Valentine’s Day, also typical of previous Storm spam runs. These emails include a weblick, which on clicking redirect users to a site with 12 heart images, and a message, “Guess which one is for you”. When any of the hearts on this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR.
In other such instances, Trend Micro found spammed messages posing as ‘an invoice from iTunes’ in the e-mail’s subject line but containing an advertisement for a “special Valentine’s day sale” with links actually leading to a fake Canadian pharmacy website. Says Mr. Nath, “iTunes garnered an estimated 3.34 billion dollars in sales for 2008, and the numbers for early 2009 are quite promising as well. With the great success and vast number of customers, this pretty much explains the usage of iTunes to lure users into pharma sites.”
The love spammers have had for Valentine’s Day is not a new phenomenon, only the expression of their love changes. A 1999 virus, VBS_LOVEMONKEY, sent out email with the message “Dear Nicky… my name is and I want to make hot monkey love with you. You anti-virus stud!” In 2000, Trend Micro analyzed PE_LOVESONG.998, a virus notable for having the word “love” in its code. In the same year, VBS_LOVELETTER did more than just expressing a love-related emotion. It remains one of the most destructive viruses to ever hit online users, and the most costly as well, with estimates of $5-10 bn in damage. This loveletter also was a high point in early social engineering practices. Social engineering is the act of manipulating people into doing things they otherwise would not do, and has become an integral element of Web-based attacks. Even as late as 2006, the VBS_LOVELETTER continued to infect a significant number of PCs.
“Around this same time, 2006, the so-called ‘Outbreak Era was at its peak, and virus writers, inspired perhaps by VBS_LOVELETTER, were using love notes and file names related to love to gain more coverage, hence to infect more online users. Malicious files now were no longer confined to just file infectors – writers preferred worms, which were able to self-propagate and infect computers even with the absence of host files. Infecting more than 2000 PCs was the WORM_LOVELORN family, which used variations of love and sex in the email messages it sent. On the other hand, the WORM_BAGLE family was more classically romantic. For a Valentine’s Day run, it sent messages with poems by Robert Frost”, Mr. Nath further remarks.
Virus writers preoccupied with using love in malware codes now belong to a group called script kiddies, which are considered the opposites of sophisticated hackers.
Love still maintains its status as an effective social engineering technique. According to Trend Micro analysis, 24% of the manually detected malicious URLs (phishing sites, malware download sites) during the Valentines months of January and February contained the string love, or were crafted to have references to the word.
Trend Micro has also analyzed a mobile phone malware called SYMBOS_BESELO.A that spreads through Bluetooth and Multimedia Messaging Service (MMS), which uses file names beauty, jpg, love.rm, and sex.mp3.
Trend Micro Smart Protection Network blocks the spam email messages, and detects the virus itself so it doesn’t run from systems anymore.
Picture Credits – afwrite