Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Beware the phony email has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include:

  • Linking to multiple compromised sites which then redirect to the malware hosting sites
  • Favoring WordPress sites (that can be exploited)
  • Hosting the malware on various .ru domains
  • Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
  • Using the same Flash exploits in the malware

Previous attacks use well known brands such as, LinkedIn, Verizon Wireless and AT&T Wireless.

The email thanks the recipient for joining and provides links to confirm the user or make corrections.

Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks.

The malware on the final site checks for PDF and Flash versions on the target PC.

  • If an appropriate version is found it then redirects to a malicious SWF flash file.
  • If not it redirects to

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...