New World Cup Malware Features One-Two Combination


A new World Cup-themed malware scam this week is using a PDF attachment and a malicious link in tandem to trick high-ranking executives at dozens of Brazil's largest corporations into downloading malicious digital cargo.

This latest socially engineered World Cup malware campaign has been under way for a little more than a week, according to an advisory on Symantec's (NASDAQ: SYMC) MessageLabs Intelligence blog.

Symantec officials said they've identified a run of 45 targeted malware e-mails sent to executives at Brazilian chemical, manufacturing and finance companies. The attacks feature come-ons with subject lines, such as "If Brazil wins, you also gain!" and instruct intended victims to "check [to see if you've won] by clicking on the ball!"

Brazil is perhaps the most soccer-crazy country in the world. Its national team has won five of the previous 18 World Cup tournaments and is again considered a favorite to advance deep into what's widely considered the world's largest and most inclusive sporting spectacle.

In this latest World Cup-related attack, hackers are sending unsolicited e-mails spoofing a well-known sportswear manufacturer -- which also happens to be a legitimate World Cup sponsor -- using the company's domain and delivering the toxic payload via a server hosting company in Brazil.

By including both a tainted PDF and a malicious link, the malware purveyors are increasing the odds of successfully infiltrating the networks of the companies and organizations they're targeting.

"The inclusion of two methods of attack means that even if the PDF is removed as suspicious by an anti-virus gateway, the malicious link remains in the body of the e-mail and may still be delivered to the recipient," wrote Tony Millington, a malware operations engineer in Symantec's hosted services group. "This is because many e-mail filtering systems are configured to simply remove or clean viral attachments, and will often allow the 'cleaned' e-mail to be delivered to the recipient, in this case with the malicious link still intact."

Once the malware is downloaded and executed on a victim's PC or mobile device, the damage can be immediate and sweeping.

"The malware probes the botnet's command and control channel, notifying the controller that the infected machine is online and contactable," Symantec officials said. "By this stage the recipient is likely to have their computer under the full control of the attackers to use for whatever purpose or intent they had in mind."

Symantec and other security software vendors strongly urge Internet users to avoid opening e-mail from unknown or suspicious-looking senders, resist the temptation to open attachments or click on corresponding links and to generally assume that any e-mails related to celebrities, sporting events or major world news and events are likely some form of malware.

Larry Barrett is a senior editor at, the news service of, the network for technology professionals.