Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Beware the phony email has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include:

  • Linking to multiple compromised sites which then redirect to the malware hosting sites
  • Favoring WordPress sites (that can be exploited)
  • Hosting the malware on various .ru domains
  • Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
  • Using the same Flash exploits in the malware

Previous attacks use well known brands such as, LinkedIn, Verizon Wireless and AT&T Wireless.

The email thanks the recipient for joining and provides links to confirm the user or make corrections.

Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks.

The malware on the final site checks for PDF and Flash versions on the target PC.

  • If an appropriate version is found it then redirects to a malicious SWF flash file.
  • If not it redirects to

You might also like

What is Microsoft Office 365 Advanced Threat Protection?

Office 365 Advanced Threat Protection (also known as ATP and Defender) can provide your organization with advanced security features - keeping you protected from cybersecurity threats. With today's cybersecurity landscape, where new threats appear daily, if not...