McAfee Labs Messaging Security recently observed a spam campaign based on the Boston Marathon bombing and the Texas fertilizer plant explosion. The messages take advantage of our interest in these tragic events to lure victims to malware and exploits. Last week my colleague Paras Gupta blogged about the use of the Black Hole exploit kit to disguise spam campaigns as top service brands. In that case, spammers served hidden iframes and redirections that exploited vulnerabilities across operating systems. This week, spammers are taking advantage of the tragedies with the help of the Red Kit exploit kit.
The following list of URLs are just a few of the malicious links we observed during our investigation. There could be many more patterns that we have not yet found.
- http://<some domain>/cnn_boston.html
- http://<some domain>/bostoncnn.html
- http://www.<some domain>/bbb_compl_genr.html
- http://<some zombie IP>/boston.html
- http:// <some zombie IP>/news.html
- http:// <some zombie IP>/texas.html
The campaign was likely made especially for the Boston Marathon bombings, but it was quickly altered to accommodate the Texas fertilizer plant explosion and follows the same pattern, as we can see from these subject lines.
- Explosions at the Boston Marathon
- Texas Plant Explosion
- Video of Explosion at the Boston Marathon 2013
- Aftermath to explosion at Boston Marathon
- Opinion: Boston Marathon Explosions – FBI Benefits? – CNN.com
- Opinion: North Korean Official’s child was the CIA target – Boston Marathon Explosions
- Opinion: FBI knew about bombs 3 days before Boston Marathon – Why and Who
- Opinion: Boston Marathon Explosions – Obama Benefits? – CNN.com
Most of the samples coming with a simple subject line referring to a breaking-news update, with a fake hyperlink and a reference to the current incident. Spammers often take advantage of the latest events to make it tricky for antimalware companies to filter these messages or to recognize them as spam. Spammers target recipients with emails designed to pique their curiosity.
Boston Marathon fake email:
Texas plant fake email:
Fake CNN breaking news email:
People using McAfee Site Advisor will get an instant alert after clicking this type of bogus link.
Those who ignore this warning and choose to “Visit anyway” will reach a title page of a malicious website:
- Hot News::Videos of Explosions at the Boston Marathon 2013
- Hot News::Fertilizer Explosions
The page contains the following:
- An automatic download for a malicious executable file that could make changes to the Registry and install files to allow hackers to gain remote entry to the infected PC
- Four or five links to YouTube videos of explosions at the Boston Marathon or Texas fertilizer plant
- Hidden iframes and redirections that exploit vulnerabilities across operating systems
After visiting this malicious site, the user will be taken to a web page with four or five valid videos. But the last video has an embedded Red Kit iframe that downloads a payload file without the victim’s knowledge. A sample follows:
McAfee security products will give an alert immediately before a malicious file starts to download on the user’s PC.
As always, we advise users to follow best practices to avoid any targeted fraud/spam/phishing harassment.
- Do not open or click any links in emails from unknown persons
- Ignore unsolicited requests for sensitive personal information
- Regularly update your security software
- Don’t open any suspicious attachments in emails from unknown persons