Online fraudsters have predictably jumped on the tragic downing of Malaysian flight MH17 to trick users to click on spammy and malicious Twitter links which could lead to malware infection, according to Trend Micro.
In a blog post on Friday, researchers at the security giant said it spotted suspicious looking online activity just hours after Malaysia Airlines tweeted its first portentous post about losing contact with the aircraft whilst it flew over Ukrainian airspace.
The tweets, written in Indonesian, used the hashtag #MH17 which soon began trending on the micro-blogging site.
They featured various .tk URLs which resolve to two IP addresses.
“Based on our analysis, these two IPs are verified to be webhosting/shared IP located in the US,” Trend Micro said. “The said IPs are mapped to multiple domains. Some of these domains are malicious while there are other legitimate normal domains hosting blogs.”
The researchers argued that the cyber criminals behind the tweets are either trying to drive hits and page views on these blogs to make money from advertising, or achieve a more malicious endgoal.
“The malicious domains associated with these IPs, are connected to a ZeuS variant detected as TSPY_ZBOT.VUH and SALITY malware,” they wrote.
“ZeuS/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.”
Hijacking major breaking incidents like this for illegal gain is nothing new.
From the death of Michael Jackson to the mysterious disappearance of Malaysian Airlines flight MH370 – cyber criminals have always been among the first to react, tapping a huge public appetite for information to trick users into clicking on spammy or malicious links or opening suspicious attachments.
“We expect that as soon as more details of the MH17 crash unfolds, cybercriminals will launch other attacks that may possibly lead to personal information theft and system infection,” Trend Micro warned. “Users are highly recommended to remain vigilant for threats that could leverage this news.”