It isn’t exactly new: spammers and malware distributors love current events that draw a lot of public attention. They use them and the public interest for their campaigns to lure curious recipients into doing things they might not usually do: click on links or open attachments. So it fits their purpose very well that the beginning of this week saw a news story that dominated newscasts all over the world: the arrival of a royal baby in Britain. A gift to the British monarchy – and to cybercriminals. Within hours of the news, campaigns were initiated to exploit the huge interest for the spammers’ purposes. Between Tuesday, July 23, and Wednesday, July 24, the Commtouch Email Security Labs observed eight drive-by malware waves with this topic.
Fake royal baby news alert
The emails are very simlar to those used in the campaigns exploiting the election of the new pope and the financial crisis in Cyprus a few months ago (“CNN Breaking Newsâ€). These advertized alleged exclusive images and video footage of the events. The links, however, led to Websites delivering malware. The royal-baby-themed campaigns used exactly the same tactic: the emails had the subject line “The Royal Baby: Live updates†and even promised a link to a live cam at the hospital.
Three steps to malware
If the user clicks on the links in the email, however, they are led not to exclusive footage but to a badly maintained Website which has nothing to do with the topic. Looking at the source code, it is revealed that there are three hidden links leading to malware-infected sites. The script Ҡactivates a JavaScript in the background – without the user noticing – that results in downloading the Blackhole Exploit Kit. All the user sees, it a message saying “Connecting to server…â€.
“Connecting to server…â€
When the Commtouch researchers tried to follow the third link, the target site was no longer available (displaying a 502 error message) – apparently, the hoster had already blocked it. The top level domain nphscards.com contained a forward to the MSNBC.News Website.
All the hidden links led to sites infecting the user’s computer the Blackhole Exploit Kit, one of the cybercriminals’ favorite tools today. It scans the target system and then downloads the malware most appropriate to it.
Almost one third of the emails came from IP addresses in the United Stated, followed by Peru and Chile – two countries that have not been a frequent source of spam. Perhaps there is a new South American botnet in the making?
From the royal baby to Edward Snowden
The royal-baby-themed campaigns ended after less than a day and are a great example of what one might call real-time spam: It uses the news of the day and only on the day that it happens, giving the fake alerts an air of urgency and hoping to fool those who might not have heard the news yet. In a particularly perfidious way, this tactic was used after the Boston bombings.
The current campaigns share another charcteristic of earlier real-time campaigns: switching to the next hot topic when it happens. The day after the mentioned waves, very similar emails were discovered containing subject lines such as “â€Snowden able to leave Moscow airport†– BreakingNews CNNâ€, promising exclusive news about the NSA whistleblowers asylum status. The emails contains a short teaser paragraph – apparently taken from CNN – and a link for further details and inetractive material. What happens when one clicks on the link should not come as a surprise to anybody at this point…
A fake CNN breaking news email about Edward Snowden