“While the world recoils in shock at the horrifying events at Monday's Boston Marathon, cyber-criminals are actively seeking to exploit people's thirst for information and eagerness to help those affected by the attacks,” Websense said in a blog breaking down the forensics of the opportunistic attack, adding that the same campaign has shifted its lures to focus on the fertilizer plant explosion in the Lone Star State.
The Websense ThreatSeeker Network found the attack to start out with emails with subject lines that have been designed to suggest that the message contains information or news regarding the recent events. They include “Explosions at Boston Marathon” and “Aftermath to explosion at Boston Marathon,” as well as “Texas Plant Explosion” and “Raw: Texas Explosion Injures Dozens.”
“This campaign, like many other topical or event-based campaigns, attempts to propagate as widely as possible, rather than being directed at specific individuals or organizations,” said Websense. “Given this, those behind the nefarious campaign simply have to identify a news story with global appeal (in this case, Monday's events), and then propagate their lure to as many people as possible.”
The message body itself, in most cases, contains a single URL with no further detail or information. At this point, the recipient is lured to click on the malicious link. The victim is then presented with a page containing YouTube videos of the horrific events, while an iframe redirects them to an exploit page.
Websense found that the RedKit Exploit Kit has been used to exploit an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422) in order to deliver malware to a machine, which then opens the door for Win32/Kelihos and Troj/Zbot to be downloaded and installed on the compromised machine to join it to the cybercriminals' bot network.
Once the compromised machine is under the control of the cybercriminal, the bots call home, which allows remote commands to be issued and for data to be sent and received.
“Our thoughts are with the victims and their families at this time. While these cyber abuses are minor by comparison, users can help protect themselves by sourcing the news directly from reputable news agencies,” Websense said. “Should you want to donate (be that blood to local hospitals or money to assisting organizations), be sure to visit official websites rather than following links that appear in your mailbox.”
Sadly, this type of predatory opportunism crops up quite often in the aftermath of a horrific event. When Hurricane Sandy hit last fall, fraudulent "charity" sites were among the first to make an appearance in emails relating to the disaster.