More Valentine's Day spam detected as carrying Trojans

News by Dan Raywood

A new Valentine's Day spam email has been detected by Websense as containing a Waledac variant.

A new Valentine's Day spam email has been detected by Websense as containing a Waledac variant.


Websense Security Labs has reported to have seen several fake Valentine's Day sites serving up malware recently, with an increase in adult dating and ‘healthcare' related email spam released to mark the occasion.


Carl Leonard, Websense threat research manager, claimed that it works by the user opening the URL in the spammed message and being redirected to a site with two puppies and a love heart to give a Valentine's theme. The user is then enticed to download a Valentine's kit to prepare a present for a loved one, which is a new Waledac variant.  


Leonard said: “The usual suspects have emerged as expected, with Valentine spam emails and Trojans. The public are becoming more aware of these and it is getting harder to trick people this way. Cybercriminals are also taking their efforts to social networks, given its rising popularity and potential to manipulate the user through ‘friend' messages.


“Organised criminal units have a long history of timing their attacks to coincide with popular occasions in order to achieve maximum success. Valentine's Day 2009 is a day that is similarly marked on the criminals' calendar for targeted attacks.”


Websense has warned of three key signs of fake sites: ‘Broken Hearts' sites show colourful images such as puppy dogs or a picture of 12 pretty hearts and ask ‘Guess, which one is for you?'. The web page however is one big image and a single click from a tricked user commences the download of Trojans named “onlyyou.exe” or “youandme.exe”, which can connect to remote websites to receive commands and send information about the compromised system.


‘I am your friend' uses social networking tricks to get users to visit fake sites, with Websense claiming that a popular technique at the moment is spam email pretending to originate from social networking sites – complete with love hearts and cartoon characters. Clicking through to the link would download a Trojan designed to steal log in credentials for banking sites.


Seventy per cent of the top 100 most popular websites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites. Specially created malicious sites are in decline as cybercriminals switch to compromising ‘trusted' websites.


Websense claimed that as there is increased confidence in shopping and researching online - a lot of which happens whilst in the office – people are turning to the internet to order flowers, chocolates and other gifts and cybercriminals are compromising these sites and stealing data.

Leonard said: “The underground economy is positively flourishing as companies fail to keep up with security technology. Criminals are taking advantage of the growing number of Web 2.0 properties, which allows user generated content. More than ever we're seeing websites injected with links to direct users to malicious and compromised sites.


“Since many email security systems lack web intelligence, spammers have also stepped up email campaigns which contain links to malicious web pages. It's clear that businesses need security with real-time protection, but until this becomes the norm – cybercriminals will continue stealing data and breaking hearts.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews