Are you ready for some football?
That could be the motto for the authors of the virulent Storm worm. After months of social engineering tricks centered around fake news alerts, promises of photos of scantily clad female celebrities, and even patch updates, the malware authors have turned their attention to the opening days of the U.S. football season.
"Anything to do with NFL at this time is going to be compelling for a lot of users," said Ron O'Brien, a senior security analyst with Sophos, in an interview. "This wasn't completely unexpected. The NFL season, particularly in the U.S. and with the rise of fantasy football, almost qualifies as a holiday. As we'd expect to see social engineering techniques arise around the holidays, like Mother's Day, we expect to see them arise with the start of football season."
The NFL (National Football League) season opened on Thursday, Sept. 6.
The Storm worm authors have been pounding the Internet with waves of mass mailings in an attempt to build up their botnet. The bigger and more far-reaching their botnet, the more spam they can send out and the more powerful denial-of-service attacks they can launch.
Cybercriminals commonly use holidays or major news items as the basis for new social engineering tricks. At the beginning of the month, for instance, the Storm worm authors sent out phony Labor Day e-cards, trying to lure unsuspecting users into clicking on a link that would supposedly take them to an electronic greeting card but actually took them to a malicious Web site where their machine was infected.
Both Sophos and the Internet Storm Center alerted users that the hackers sent out a new Storm worm campaign over the weekend.
This one came in the form of an e-mail with subject lines like: Are you ready for football season?; Free NFL Game Tracker; Football Season Is Here!; and Do you have your NFL Game List? The e-mail contains a link to a Web page that has the actual game results but all URLs in the page link to a malicious file, tracker.exe.
"The game result displayed is the real result," said O'Brien. "The person or persons responsible for this did their homework. It's indicative of the fact that they're constantly looking for new ways to add machines to their botnet."
Sophos is calling this variant of the Storm worm Mal/Dorf.