Email-bound malware exploits Boston Marathon tragedy
Email-bound malware exploits Boston Marathon tragedy

Following the tragic attack on the Boston Marathon on Monday, cyber criminals have begun spreading scams related to the bombings.

Detections by security labs have shown malicious emails with attachments and fake domains. According to TheDomains, there were 125 potentially fake domains registered just hours after the attack in Boston and John Bambenek from Bambenek Consulting claimed he had seen 234.

Writing at the ISC diary, he said: “Some of these are just parked domains, some are squatters who are keeping the domains from bad people. A couple are soliciting donations (one is soliciting bitcoins, oddly enough). So far, there have been no reports of any spam related to this but there have been a few fake Twitter accounts that are fairly quickly getting squashed.”

Detections by Kaspersky Lab and AVG highlighted spam messages using the explosion to lure potential victims to malware and exploits. According to the AVG web threats research team: “These spam messages are very simple with a subject of ‘Explosion at Boston Marathon', and the message consists of just a numeric URL ending in ‘/boston.html' or ‘/news.html'.

Kaspersky Lab found that once downloaded, the malware tries to connect to several IP addresses in Ukraine, Argentina and Taiwan.

According to Trend Micro's TrendLabs, there was a spam outbreak of more than 9,000 Blackhole Exploit Kit messages, all related to the tragedy. It said that some of the spammed messages used the subject line ‘2 Explosions at Boston Marathon' and ‘Aftermath to explosion at Boston Marathon'.

According to Aisa Escober, threat response engineer at TrendLabs, the IP of the download link varies every time it is accessed and correlated with Kaspersky Lab's findings. “The downloaded samples have the same behaviour and same file size, except that it changes the icons used and the file names,” Escober said.

“Our analysis also shows that WORM_KELIHOS.NB hides all the directories on the removable drive and replaces them with a .LNK file that uses a folder icon. This executes the malware before it opens that original folder. In addition, it creates .LNK files on infected removable drives with the command C:\WINDOWS\system32\cmd.exe F/c “start %cd%\game.exe.

“This worm has the capability to steal credentials from the different File Transfer Protocol (FTP) such as LeapFTP, P32bit FTP, FTP Control, SecureFX, BitKinex, FileZilla, and many more. One noteworthy routine about it is that it harvests email addresses from the affected computer's local drive.”

Christopher Boyd, senior threat researcher at ThreatTrack Security, said: “Historically, every time there's a high profile disaster or incident, we see a variety of social media scams in the days following that try to take advantage of the general public.

“On this occasion, we've seen a few Twitter profiles claiming they'll donate $1 per retweet, turning the tables on those venting frustration at the scams in circulation on social media. They did this by posting up ‘visit my personal account' messages with links to those attacking the scam accounts, then deleting them shortly after.

“The end result is that potentially innocent people were quickly deluged with very angry comments. Users of social media would probably be better off simply reporting fakes than tackling them directly.”