Scam Of The Week: CIA Prism Watchlist
Just this morning, a researcher discovered an email uploaded to Virustotal called CIA's_prism_Watchlist_.eml. The content refers to Snowden, and the attachment is called Monitored List1.doc which exploits a known vulnerability. This particular attack was focused on Tibetans in India, which means the Chinese are behind it, but this thing is going to spread far and wide.
Warn your users that when they get emails with subjects like "You Are On The CIA Prism Watchlist", or refer to CIA or NSA Prism lists they are on, to delete the email and not open the attachment. There will be variants without attachments that make people click on a link to an infected website as well. Since Prism has been all over the press recently, this is a prime social engineering tactic bad guys use, manipulating people to avoid a negative consequence. Here is the first version of the email which will have many many similar iterations as long as this thing stays in the press: