PCMag: My social media accounts and email inbox are full of links to stories about the horrific incident in Boston earlier this week. I am reading about the victims, the bystanders and first responders that rushed to help, and looking for updates on the investigation.
It turns out I should be careful about what links I click on, as cyber-criminals have already started exploiting the tragedy for their own nefarious purposes, security experts told SecurityWatch.
“Nothing is faux pas for cyber-criminals when it comes to spreading their malware,” said Troy Gill, senior security analyst at AppRiver.
Spammers Are Brazen
Less than 24 hours after the attack, spammers were in action, according to researchers from antivirus outfit Avira and email security provider AppRiver. The subject lines for these messages included “Explosion at Boston Marathon,” and “Boston Explosion Caught on Video,” according to Avira. AppRiver flagged other subject lines such as “Runner Captures,” and variations such as “Marathon Explosions” and “2 Explosions at the Boston Marathon.” AppRiver believes a botnet is behind the spam campaign as the messages originated from various machines around the world.
“This social engineering technique is not new. We see this every time there is something happening in the world (war, natural catastrophe, social events) that is potentially interesting for a lot of people,” said Sorin Mustaca, IT security expert at Avira.
The emails contain only the link, an IP address followed by index.html. Clicking on the link redirects the victim to three other sites while trying to download a malicious Java file from a randomly generated site on to the computer. If the user is not running a fully-patched version of Java and has Java enabled in the browser, the file is downloaded and executed. While the malware is being downloaded, the user will be able to view a video clip on the page, the researchers said.
Some of the Web pages containing the actual malicious payload appear to have already been taken down, said Gill. The malware itself appears to be a Trojan horse capable of installing a backdoor to the infected machine, giving attackers remote access for future attacks.
Email isn’t the only attack vector, as Avira also found posts on Facebook with links to various websites that appear to be malicious.
Beware What You Click
To be honest, I shouldn’t have been surprised. The criminals and scammers love tragedies because people are searching for updates and information and are likely to click on links. On a normal day, a news report from the city of Troy’s Patch.com site probably would not have crossed my radar, but today it did. While my instinct is to click to get more insights, punditry, and stories, now is also a time I have to be cautious lest I wind up on a malicious site. Stick with a list of sources you generally use, and above all, don’t click on shortened links on social media. Better safe than sorry.
“Anytime there is widespread attention to a single event in the media and public interest, you will see parasitic cybercriminals coming out of the woodwork and attempting to capitalize on the event,” Gill said.
While this round of spam is easy to identify since the URL is not using a domain name but an IP address, similar campaigns are likely, so users should remain vigilant.
“While most people know by now not to click on links in unsolicited emails, human emotions still get the better of us at times and these types of attacks prey on that human element,” Gill warned.
And if you still haven’t updated Java, now really is a good time to do so, especially since Oracle released a new update yesterday. If you aren’t using Java regularly, please, just disable the plugin inside your browser.