MH17 spammers direct Twitter users to Zeus-ridden websites

News by Doug Drinkwater

In the aftermath of the MH17 tragedy which saw almost 300 people lose their lives in an airplane crash over Ukraine, cyber-criminals are taking advantage by leading social media users to malicious websites.

The Malaysia Airlines' MH17 aircraft is believed to have been hit by a missile on July 17 and crashed by Hrabove near Donetsk, about 40km (25 miles) from the Ukraine-Russia border where tensions have been high between the government and pro-Russian separatists ever since the Russian takeover of Crimea in March.

At 23.36 GMT on the night of the incident, Malaysia Airlines, which also saw its MH370 plane disappear without trace in March, tweeted: “Malaysia Airlines has lost contact of MH17 from Amsterdam. The last known position was over Ukraine airspace. More details to follow.”

Since then, cyber-criminals have taken to Twitter and Facebook to publish spam messages designed to entice social media users to click on malicious links.

Anti-virus vendor Trend Micro has spotted a stream of Twitter spam messages in the wake of the tragedy, with these messages written in Indonesian and adopting the trending #MH17 hashtag.

The firm says that the two .tk URL links go to two IP addresses located in the US, but adds that the IPs are mapped to various domains. “Some of these domains are malicious while there are other legitimate normal domains hosting blogs,” said a company spokesperson.

The company added that the majority of these web addresses are benign and are designed purely to ramp up page views. “We surmise that this spam is for gaining hits/page views on their sites or ads,” reads the company's most recent advisory.

However, the firm also warns that some of the domains are hosting a new variant of the Zeus Trojan.

“The malicious domains associated with these IPs, are connected to a Zeus variant detected as TSPY_ZBOT.VUH and SALITY malware,” said the company.

“Zeus/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.”

Meanwhile on Facebook, cyber-criminals have taken to establishing Facebook pages in the names of the victims, including the names of three children from Western Australia. These pages link to suggestive headlines like “Video Camera Caught the moment plane MH17 Crash over Ukraine. Watch here the video of Crash”. The links redirects users to websites with multiple pop-up ads for suspicious services.

Facebook has since shut down these pages.

This latest incident continued a trend of cyber-criminals using recent disasters to trick people into visiting malicious websites, or downloading malware. Most recently, similar campaigns were associated with the disappearance of the MH370.

Edward Savage, management analyst at PA Consulting, said that this news is the latest example that people should be careful what links they click on when using social media websites.

“This story is another good example of why you should be careful not to click on links unless you know they are to reputable and secure sites,” Savage told

“It's another example of act in haste and repent at leisure.  I know of a case where someone inadvertently downloaded key logging spyware through a dirty link.  It took several months to be discovered and cost a major clean-up operation.”

Chris Boyd, malware intelligence analyst at Malwarebytes, told SC that internet scammers are 'never far behind' real-life disaster, but says that they've developed shock videos as their latest tactic.

"Unfortunately, whenever disaster strikes the Internet scammers are never far behind. The fake social media pages which lead to surveys and use names / photographs of the victims in this case are particularly distasteful - usually these will use imagery of a downed plane, or a car crash or something else which steers clear of the victims.

"However, it seems that in recent months the so-called "shock video" social engineering has become more and more salacious and poor taste in an effort to keep people clicking.  This is likely the next step in that evolution.  Elsewhere on social media, rogue links and phishing attempts will continue to be peddled.  We advise all netizens to obtain their news from verified and trusted sources, and be wary of anything claiming to offer up "exclusive footage" on social media."

Andrew Conway, security researcher at anti-spam outfit Cloudmark, agreed saying: "Any time there is a big news story like this we see spammers try and exploit it by getting you to click on a link."

Conway added that most spam is distributed by organised groups, with affiliates getting money for each time someone clicks on a link. He, though, noted an increase in malware in email attachments and URL links, but said drive-by-downloads from spam messages has dropped off since Blackhole exploit sinkhole.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews