Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Malware Attackers Exploit Boston Marathon Bombing

Now, 40% of all spam on the Internet name-drops the tragedy to trick users into executing malicious files or visiting sites that launch drive-by attacks.

In the wake of any high-profile tragedy, scammers quickly spring into action. That's continued to be the case in the wake of Monday's Boston Marathon bombing, as attack campaigns backed by spam and malicious websites have used the tragedy as a lure for infecting PCs with malware.

By Wednesday, Cisco reported that 40% of all spam emails seen crossing the Internet were name-dropping the Boston Marathon bombing.

But related malicious online activities began just hours after the bombing, with more than 125 potentially fake domains that tied to the event registered Monday, according to TheDomain.

By Tuesday, that number had grown to 234, reported John Bambenek at Internet Storm Center. "Some of these are just parked domains, some are squatters who are keeping the domains from bad people. A couple are soliciting donations (one is soliciting bitcoins, oddly enough)," he said. "So far, there has been no reports of any spam related to this but there have been a few fake twitter accounts which are fairly quickly getting squashed."

[ Congress can't solve our cybersecurity problems. See CISPA 2.0: House Intelligence Committee Fumbles Privacy Again. ]

Also Tuesday, "the first of two botnets began a massive spam campaign to take advantage of the recent Boston tragedy," said Craig William, a technical leader in Cisco's security intelligence operations group, in a blog post. "The spam messages claim to contain news concerning the Boston Marathon bombing. The spam messages contain a link to a site that claims to have videos of explosions from the attack. Simultaneously, links to these sites were posted as comments to various blogs."

Related email subject lines included "Explosion at Boston Marathon" and "Boston Explosion caught on Video," and many of the emails contained a link that included a numeric IP address with "news.html" or "boston.html" at the end. "Once visited, the page redirects to three other URLs which try to drop a JAR [Java archive] file on your system, if they detect that the computer has a vulnerable Java installation installed," said security researcher Sorin Mustaca at antivirus vendor Avira, in a blog post.

Another string of malicious websites used iFrames to display related videos of the Boston explosions from YouTube while attempting to silently install a malicious Java app that exploits a known Java vulnerability. According to some reports, these sites would later push a malicious Windows executable (.exe) file, too.

Wednesday, a second botnet began sending Boston bombing-related spam, including a link that was falsely labeled as having come from CNN. "In reality, the link takes users to a compromised website that contains an instant HTTP meta-refresh redirect to an attacker controlled site that we believe is attempting to install the Blackhole Exploit Kit," said Cisco's Williams. Crimeware toolkits such as Blackhole target known vulnerabilities on a PC. If successfully exploited, the toolkit drops additional malware onto the system, allowing attackers to turn the PC into a spam relay or node in a distributed-denial-of-service attack. In addition, any sensitive data stored on the PC, such as banking credentials, may be transmitted to attackers.

Jason Hill, a researcher at Websense Security Labs, also reported seeing a bombing-themed exploit that uses the RedKit Exploit Kit to "exploit an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422)" that was patched by Oracle in January.

In any of the above attack scenarios, criminals are using the bombing as a lure to trick users into executing malicious files or visiting sites that launch drive-by attacks. "This social engineering technique is not new. We see this every time there is something happening in the world (war, natural catastrophes, social events) that is potentially interesting for a lot of people," said Avira's Mustaca.

"Clearly, there are no depths to which cybercriminals are not prepared to stoop in their hunt for victims," Graham Cluley, senior technology consultant at Sophos, said in a blog post. "The sick truth is that malware authors and malicious hackers lose no sleep about exploiting the deaths of innocent people in their attempt to infect computers for the purposes of stealing money, resources and identities."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/26/2013 | 3:27:45 PM
re: Malware Attackers Exploit Boston Marathon Bombing
That really is a
shame teat a tragedy is exploited in such a way. I say find out who hosts the
site and go after them full force; you cannot have people doing this when the
intention appears to be good. That is social engineering at its best, simply
taking peoples personal emotions and playing them to get what you want or in
this case being attacked. 40% is a very high number to be dealing with, when
that was the bulk of the spam following the tragedy.

Paul Sprague

InformationWeek Contributor
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Palo Alto Networks to Buy CloudGenix for $420M
Dark Reading Staff 3/31/2020
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5300
PUBLISHED: 2020-04-06
In Hydra (an OAuth2 Server and OpenID Certifiedâ„¢ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method 'private_key_jwt' [1], OpenId specification says the following about assertion `jti`: "A unique identifier for the t...
CVE-2019-19699
PUBLISHED: 2020-04-06
There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To e...
CVE-2020-11102
PUBLISHED: 2020-04-06
hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.
CVE-2020-11507
PUBLISHED: 2020-04-06
An Untrusted Search Path vulnerability in Malwarebytes AdwCleaner 8.0.3 could cause arbitrary code execution with SYSTEM privileges when a malicious DLL library is loaded.
CVE-2020-11544
PUBLISHED: 2020-04-06
An issue was discovered in Project Worlds Official Car Rental System 1. It allows the admin user to run commands on the server with their account because the upload section on the file-manager page contains an arbitrary file upload vulnerability via add_cars.php. There are no upload restrictions for...