Storm Worm criminals behind confirmation email spam outbreak

When I first received emails with the subject “Registration details” and “Welcome new member” I thought that perhaps I’d been sent the email in error. However, when I started receiving dozens of such emails, the penny dropped, it was spam. And worse, as it turns out, it’s malicious spam designed to infect PCs with malware, and it’s been unleased by the criminals responsible for infamous Storm Trojan.

Internet security company Marshal has now confirmed that these types of emails are a new outbreak of malicious spam emails that use login account confirmation details as a hook to get email users to visit an infected web site.

According to the Marshal Threat Research and Content Engineering (TRACE) team, the spam emails appear to come from a legitimate organization and provides recipients with temporary login confirmation details for a web site. The spam uses text like “for security purposes, please login and change the temporary Login ID and Password”. The messages include a link to an IP address which is in fact a website infected with the Storm Trojan.

The messages appear to come from the technical support departments of a range of organizations with names designed to generate the interest of the broad public, such as “Joke-A-Day” and “Web Players”. The links appear as an IP address rather than a more normal URL.

A typical email looks like this:

Welcome,

Thank You for Joining Resume Hunters.

Member Number: 82657738841
Temp Login ID: user6828
Temp Password ID: xl748

Please Change your login and change your Login Information.

Follow this Link: http://24.98.143.21/

Thank You,
New Member Technical Support
Resume Hunters

“We are seeing significant volumes of ‘confirmation spam’ hitting inboxes,” said Bradley Anstis, Director of Product Management at Marshal. 

“This outbreak is the latest in a string of underhanded social engineering tactics used by the same individuals responsible for the Storm Trojan to propagate their botnet. These criminals are clever and highly adaptive. This is simply their latest attempt to fool unsuspecting email users into infecting themselves.”

The original Storm Worm appeared in January of this year and infected thousands of computers around the world, turning them into zombie slaves working for a botnet designed to send spam. Storm Worm used current affairs headlines to fool unsuspecting recipients into clicking on a link which led to the Trojan. Since then the group of criminals behind the Storm Trojan have used the guise of greeting cards to infect computers with subjects ranging from the 4th of July to Thank You cards.

“The ‘confirmation spam’ outbreak has been launched by the same group that launched the Hot Pictures spam campaign earlier in the week. Previously these spam campaigns, like the greeting card campaign, would last for weeks at a time. Now however, spammers are modifying or launching new spam campaigns almost daily,” commented Anstis.

“Our advice to anyone who receives a message like this from a person they do not know, or have not heard from for a long time is to delete it without opening it. Certainly, don’t click on the link in the message and don’t click “OK” if it asks to download a file,” warned Anstis.

The creators of spam are so devious that it’s getting to the point that if you receive any unexpected email containing links you should just go ahead and delete it.

• Storm Worm growth is getting out of hand, researchers fear
• Blogs, forums and web mail under siege by Storm Worm variant
• Storm Worm network shrinks to about one-tenth of its former size
• Storm Worm e-mail virus reaches record proportions
• Internet Explorer 7 beta email is Grum worm in disguise