Updated: Scammers move to cash in on Libyan strife

Malware scammers have followed the trail of civil unrest in the Middle East from Egypt to Libya.

A targeted email attack has been launched aimed at 27 individuals in six organisations, all of which are involved in promoting human rights, supporting humanitarian aid or are think-tanks for foreign affairs and economic development.

"The email itself is very simple and is designed to appear as part of a discussion about the economic stakes in Libya's current crisis, with the sender claiming to agree with points raised in the attached document," said Paul Wood, Symantec.cloud's senior analyst in his blog.

The attachment appears to have a .doc extension, but is an RTF-formatted document infected with an exploit for a known vulnerability (CVE-2010-3333: RTF Stack Buffer Overflow Vulnerability).

This exploit allows remote attackers to execute arbitrary code on the infected computer via crafted RTF data in the document.

In most cases, the email headers were spoofed to appear to come from the same domain as the recipient, a familiar social engineering technique used in so-called "spear phishing" attacks.

Further analysis of email headers suggests the originating IP address is from a computer in Romania.

Earlier today, Wood published details of a 419-style scam using an email purportedly from Muhammad bin Sayyid al-Mahdi, a cousin of the Senussi royal family overthrown by Muammar al-Gaddafi in the 1969 coup.

Later in the email the writer claims to be the deceased ex-monarch's nephew.

The email alludes to oil wealth and follows the usual pattern of asking for help to transfer a large amount of money out of the strife-torn country, in exchange for "terms".

"Of course, the scammer will demand ever-inventive upfront fees and charges, and never send any money," says Wood.

Although the message was sent through a large webmail provider, it originated from an IP address located in Ghana.

Last week a similar email scam was concocted based on the departure of president Mubarak from Egypt.