Security researchers are warning users and IT managers about a spike in the number of spam e-mails that are being sent out in massive waves to infect machines with a variant of the virulent Storm worm.
The e-mails entice unsuspecting users into going to malicious Web sites where their machines can be infected, according to a blog post by McAfee researcher Vinoo Thomas. And once the Storm worm infects a computer, new, updated infections can be fed into it.
The Storm worm blasted computers around the globe in January. It then reappeared in February when it was used in a spam attack that lured blog, bulletin board, and Webmail users to connect to a malicious Web site. Then in April, it hit again, with the Internet Storm Center reportedly detecting at least 20,000 infections in one day.
"With administrators filtering executable attachments at the mail gateway and most e-mail clients preventing a user from opening an executable attachment, virus authors are constantly improvising to stay ahead in the game," wrote Thomas. "Social engineering -- the oldest trick in the book -- along with the fatal combination of human stupidity plus curiosity provides ample fodder for virus authors to lure new victims; the innumerable newbie users of the Internet being the low hanging fruit."
In this attack, which started in June, hackers are spamming out e-mail messages that lure people to click on links that take them to malicious Web pages. This time the e-mails purport to notify the user that someone has sent them an electronic greeting card, or e-card. It might have a subject line saying something like, "You've Received a Postcard from a Family Member." The body of the message says the user needs to click on the link to view the virtual greeting.
U.S.-CERT also issued an advisory about the phony e-card attacks. Researchers there recommended that IT managers and users keep antivirus signature files up to date and block executable and unknown file types at the e-mail gateway. Users should also be frequently reminded not to open e-mails about e-cards unless they check to make sure that someone actually sent them one.