Earlier this afternoon in Italy hundreds ofthousands of people received an email from a “friend” stating(approximately) the following:
You’re under investigation! Hide everything and be quick!!!Your name appeared this morning together with 150 more persons on thewebsite of CAFF in Rome. Check it by yourself, you’re on January’slist: the website is the following: http://www.site.tld/caff/
The email is relatively convincing and Symantec believes many users have actually visited the Web site:
The Web site look and feel is very similar to other Italiangovernment Web sites and also the choice of the name—Comando AntifrodeCAFF (actually non-existent)—is quite convincing because it soundssimilar to the legitimate name of an anti-fraud group within Italianlaw enforcement agencies (Comando Nucleo Frodi Telematiche). Because ofthis attempt to mimic a legitimate site, one might speculate that theattack has been organized by perhaps an Italian person, or somebody whoknows Italy very well.
The embedded links in the fraudulent Web site force the download oftwo different files (lst-01-2008.zip and pdf-01-2008.exe). Both filescontain malware, which Symantec detects as Trojan.Selex.B.
The bottom line here is that once again attackers are proving to besmarter and smarter and are always looking for new ways to get users’attention and spread malicious code. In order to protect your PC, don’ttrust messages coming from unknown sources, avoid visiting advertisedWeb sites unless you feel certain of their origin, and always keep yourantivirus updated with the latest definitions.