An internet worm that uses social engineering to direct you to a malicious web page is nothing new – that’s just everyday malware. But there is something different about the latest variant of the Waledac worm: it uses geolocation services to target its intended victims. Initially, the Waledac worm sends a spam email message claiming there has been a dirty bomb explosion in “your city.” If the victim clicks through on the provided link, the worm then uses a geo-IP lookup service to customize the story appearing on the malicious site which is designed to look like that of news agency Reuters.
The rest of the attack is somewhat predictable. Users view the fake news story that now includes their own city’s name in the headline and body of the article which begins, “powerful explosion burst in [your city name here] this morning.” Then users are encouraged to view the video, but if they click on the video itself or the link below, they’re prompted to download the latest version of Flash Player. Of course, that download isn’t Flash, but the worm itself.
What’s interesting about this new attack vector is the fact that the worm is customizing the relevancy of its message by using geo-awareness… and this isn’t the first time the worm has done so. Although an IP lookup isn’t going to yield pinpoint accuracy, it will usually get the city name correct and for now, that may be good enough. But if we know malware writers, then we know that it’s only a matter of time before they attempt to exploit the new geo-aware services, too, in order to deliver even more precisely targeted messages.
Are Mobile-Based Geo-Aware Exploits Next?
For truly accurate geo-aware targeting, attacks would have to come across the mobile front where people carry pocket-sized GPS units integrated into their handhelds. Mobile computing is on the rise and where the people go, so go the hackers.
In a relatively short period of time, we’ve seen the rise of mobile social networks like Brightkite, Loopt and others; Google’s new location-based tracking service Latitude made its debut; and more recently, Yahoo’s Fire Eagle technology arrived on Facebook and in Firefox. With any one of these services, a user’s exact location could be plotted. Armed with that info, what could a malware author do? Send you news stories about the restaurant where you’re dining? Text you drink specials when you’re at a bar? Who knows! But combine that level of accuracy with mobile-ready malware-laden web sites and we could have a real threat on our hands.
Mobile Malware is Still Quiet… for Now
However, this is all just speculation at this point. Today’s mobile malware incidents are few and far between. Still, the treasure troves of personal information stored on our smartphones make them appealing targets to malware writers. No matter how tight the security of these modern devices is, eventually, hackers can find their way in.
According to Andrew Storms, director of information technology at nCircle Network Security, bigger phone-based threats are just around the corner. “No one should be surprised if we see the first major threat of the migration of botnets from traditional computing devices to mobile platforms,” Storms says. “Some smartphones already have more memory and higher processing power than laptops from just a few years ago. A constantly moving and adapting mobile botnet presents a compelling business proposition for hackers and an interesting real-world case study in chaos theory.”
Patrik Runald, Chief Security Advisor at F-Secure, agrees. “At some point, the criminals now developing PC malware will start focusing on mobile devices,” Runald said. “It’s not a question of if, but when and how. I’m keeping a close eye on the iPhone — it may be the tipping point that sets the mobile malware field afire.”
Frankly, we’re surprised it isn’t here already. Are modern smartphones really that much more secure or do they still not yet exist in large enough numbers to make them worth attacking?
Image credit: kmevans
