Spectre, Meltdown Flaws Already Producing Spam

As if the Spectre and Meltdown vulnerabilities that were disclosed earlier this month weren't bad enough, cybercriminals are already using the flaws to spread spam, as well as phony patches and updates, according to a European security agency.

Germany's Federal Office for Security and IT (BSI) has issued an alert warning about spam messages that are impersonating the security agency and appear to be related to updates regarding the Spectre and Meltdown flaws found in Intel's x86 CPUs. (See New Intel Vulnerability Hits Almost Everyone.)

Specifically, BSI is warning that these spam messages point victims to a fake website that offers patches and other updates regarding the flaws. However, the site is actually equipped with malicious code that can infect a PC or other device, such as a smartphone.

The spam Spectre and Meltdown patching site in action
\r\n(Source: Malwarebytes Labs)\r\n

In its January 12 statement, BSI notes these patch updates are not coming from the agency:

"In the context of the recently announced "Specter" and "Meltdown" vulnerabilities, the BSI is currently monitoring a SPAM wave with alleged security warnings from the BSI. The recipients are prompted to perform security updates that can be retrieved using a link contained in the mail. The link leads to a fake website, which has similarity to the citizen website (www.bsi-fuer-buerger.de) of the BSI. The download of the alleged update leads to a malware infection of the computer or smartphone."

The biggest problem with what BSI is facing is that agency has been offering legitimate updates on the flaws, which can lead to some confusion for users once the spam starts to hit the web.

While this type of spam has only been spotted in Europe so far, it's not hard to imagine it spready to the US, North America and the rest of the world, especially as the concerns about Spectre and Meltdown continue and Intel and some of its partners are finding it difficult to patch the flaw without serious performance issues. (See Security Warning: Intel Inside.)

In a blog post, Malwarebytes Labs found the phishing site, as well as the so-called patch that the spam emails are advertising. Researchers found that those that click on the email actually download a piece a malware called Smoke Loader, which can retrieve additional payloads and will attempt to connect to various domains and send encrypted information.

Researchers also note that users shouldn't be fooled by websites using HTTPS as part of the domain since that only protects data transferring between a device and the site.

"The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam," according to the Malwarebytes post.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.