It certainly didn't take attackers long to take advantage of the Olympic Winter Games, which began today in Vancouver. Within minutes of the completion of the opening ceremonies, Twitter messages were appearing from an account called gamesvancouver. The shortened URL displayed promises footage of the opening ceremonies but instead redirects users to a page that is effectively a mirror image of the official web page for the 2010 Vancouver Olympics. Upon closer inspection, however, it can be seen that the domain name used by the site is a slight misspelling of the official site, replacing a 'u' for an 'n' in the vancouver2010.com domain name.
The attackers are using a common technique of social engineering victims into downloading a fake codec for Flash, which the site states is necessary in order to view the requested video. In reality, the victim is downloading and installing a Windows executable which contains a Trojan/Downloader. The malicious file is currently detected by only 11 of 41 anti-virus vendors (VirusTotal results). Given the popularity of the Winter Olympics, it is not surprising that attackers are taking advantage of the event to spread malware. It is however concerning that most anti-virus vendors are unable to address this particular threat. Given the authentic nature of the attack site, lack of anti-virus signatures, use of Twitter to advertise the campaign and timing of the attack, it is reasonable to assume that it will succeed in achieving its goal of infecting numerous machines.
Enjoy the Olympics, but be careful where you click!
- michael
