Cybercrimes of Opportunity in Wake of Busy News Week

By | April 18, 2013

Posted in: Network Security Trends

Tragedy tends to bring out the best in the human spirit, but to those without a moral compass, it can mean opportunity.

The recent Boston Marathon bombing has apparently brought out cyber criminals looking to take advantage of a wounded public’s need to know, generating a massive spam and malware campaign.

Michael Molsner, a regional researcher at Kaspersky, wrote in a blog post that his lab had begun receiving emails shortly after the incident "containing links to malicious locations with names like 'news.html.' These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated." Molsner, and his team, have identified the threat as Trojan-PSW.Win32.Tepfer.

Samir Patil, a security response supervisor at Symantec, wrote in a blog post that it only took hours for large malware-laden spam emails to begin making the rounds. The email contains a link that, once clicked, sends users to a comprised video site.

"The Web page shows a series of videos of the attack site," he wrote. "There is an unloaded video at the bottom of the Web page that leads to the Red Exploit Kit which exploits various vulnerabilities on the user’s computer. Once an exploit has been successful, the user sees a popup asking them to download the file boston.avi_______.exe."

Craig Williams, a technical leader at Cisco Systems, wrote in a post that the event spawned two botnet-generated email campaigns. One utilizes a known Java vulnerability to spread graphical HTML content claiming to be breaking news alerts from CNN.

"Upon loading the content from the last iframe, the user would be prompted to download a malicious jar file that is detected as an attempt to exploit CVE-2012-1723. The user may also be prompted to download a suspicious Windows executable masquerading as a movie file," wrote Williams. "The second botnet’s spam campaign is masquerading as a message from CNN. These spam messages entice the user with a link claiming: 'You have received the following link from'"

Similar attempts to exploit the news cycle have just recently popped up around the overnight deadly explosion at a fertilizer plant in West, Texas.

According to Sophos, the emails regarding the explosion arrive with the headline: ”CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas.” Clicking on the video link takes users to a YouTube, which seems harmless enough save for the 640×360 pixel iFrame at the bottom of the page.

Clicking on the video link takes users to a YouTube, which seems harmless enough save for the 640x360 pixel iFrame at the bottom of the page.

"[That frame] attempts to suck in malicious content from another site, designed to infect your computer. The attack uses the Redkit exploit kit to take advantage of vulnerabilities on visiting PCs in order to infect them with malware.The Redkit exploit kit uses a PHP shell hosted on compromised websites to run its operations," wrote Sophos.

As we posted earlier, the U.S. Cyber Emergency Response Team (US-CERT) offers a number of ways in which people can reduce their exposure to phishing campaigns. We recommend simply not opening or clicking on links from unknown sources and checking the form of the URL as, for example, CNN in the link identified by Cisco as an exploit would likely not contain ‘mail’ prior to CNN but rather just ‘’

You May Also Be Interested In: