A new wave of spam combines a new technique with an old one in its efforts to spread malware. Spam messages containing a fake news alert claiming a bombing has taken place in the recipient’s local are hitting inboxes across the net. Manipulating headlines and making up fake news stories are nothing new in the land of spam, but the fact that these spams are specifically tailored to the recipient’s location is. It appears that spammers are using IP look ups to deliver personalized content.

The spam contains a link to a site that contains a realistic looking Reuters news story and video. The news story reads much like this:

          At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Amsterdam. Authorities suggested that the explosion was caused by “dirty” bomb. Police said the bomb was detonated from close by using electric cables. “It was awful” said the eyewitness about blast he heard from his shop. “It made the floor shake. So many people were running,”

“Amsterdam” changes to a city near the recipient, based on an IP lookup. The video, if clicked on, tells the user they must update a CODEC before it can be viewed. The CODEC is actually a Trojan that adds the infected computer to the Waledec botnet and downloads even more malware, scans the system for personal information, and attempts to send itself to the users in the infected system’s address book.

Despite the spammer’s attempts to personalize their spam and make their site look as realistic as possible, the poor grammar in their fake news story is a dead giveaway!