<< Back to article Print this page Loading page, please wait...

Nimble spammers exploit Boston bombings, Texas disaster

John P. Mello Jr. (CSO (US))
19 April, 2013 17:04

Spammers have always been quick to exploit avid interest in news events to capture eyeballs for their junk, but this week really tested their nimbleness.

They mounted a massive spam campaign following the bombings at the Boston Marathon on Monday, then turned on a dime later in the week when an explosion at a fertilizer plant in West, Texas jumped to the top of the news queue.

A single spam gang that specializes in capitalizing on news events is behind the Boston and Texas spam campaigns, according to Henry Stern, a threat researcher with Cisco in San Jose, Calif.

"This is a gang that does this quite often," he said in an interview. "They're trying to get new recruits for their botnets."

Botnets are networks composed of "zombie" computers whose control has been captured by a "botmaster." Once under the botmaster's control, the zombie net can be used for a variety of purposes including sending out spam.

The spammers launched their Texas campaign even as they continued their Boston one, Stern explained.

"They found a bunch of new YouTube videos, wrote eight new subjects for their emails, and they just changed their root page and out it went," he said. "They were very quick to do that. It shows they're paying attention to the news and figuring out what people are interested in in order to exploit that curiosity.

"It only took them a matter of hours to push that spam out," he added.

Spam from both campaigns contain a link to a page created by the gang and containing videos of the respective tragedies.

At the bottom of the page is an iFrame. iFrames allow content from one website to be displayed on a web page of another's. They can be invisible to someone viewing a page, as is the case with the spammer's page.

When net surfers land on the page of videos, botware is pushed to their computer through the invisible iFrame without their knowledge.

Boston bombing spam was strong throughout the week, according to Loredana Botezatu, a spam threat analyst with Bitdefender in Romania. Twenty percent of the spam samples captured by Bitdefender have been related to the bombings, she noted.

Maintaining those volumes over an extended period time is impressive. "Imagine that a lot of these domains [used by the spammers] have been shut down in the meantime, and they are still resourceful enough to keep going for it," she said in an interview.

She maintained that a variety of malware is being pushed by the Boston campaign. "They're trying to take advantage of the unpatched vulnerabilities in Java," she said.

Earlier this week, Oracle issued a "critical" update to Java -- one of many in recent weeks -- to address security vulnerabilities in the programming language. However, that's unlikely to deter digital desperadoes from continuing their activities, according to Botezatu.

"Spammers and malware criminals are very resourceful, and there are lots and lots of exploits and vulnerabilities that they use," she said.

Botezatu explained that the Boston spam pushes malware to machines that scans them for multiple vulnerabilities to exploit.

"They're very focused," she added, "They want to infect many machines."

Security experts warn users not to open links in suspicious emails to avoid being snared in traps set by spammers like those exploiting the news events in Boston and Texas.

"People know, for the most part, not to do that," Troy Gill, a senior security analyst with AppRiver in Gulf Breeze, Fla. said in an interview. "But sometimes, I think, our emotions get the better of us, and these are certainly emotional stories."

Read more about social engineering in CSOonline's Social Engineering section.