Warning! Hackers are exploiting Texas explosion news to spread malware

Filed Under: Featured, Malware, Spam

Once again, cybercriminals are leaping at the opportunity to take advantage of breaking news stories to spread malware.

The latest example, coming just days after malware authors exploited interest in the Boston Marathon bombings, concerns the fatal explosion in the small community of West, Texas, of a fertiliser plant.

Here's an example of one of the malicious emails intercepted by SophosLabs, with the subject line "CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas".

Malicious email

Other messages have been seen using the subject line "Raw: Texas Explosion Injures Dozens".

Clicking on the link contained inside the emails takes unsuspecting computer users to a webpage that contains a series of embedded YouTube videos.

Video website designed to infect visiting computers

Harmless enough, you might think. However, the webpage also contains a 640x360 pixel iFrame, that attempts to suck in malicious content from another site, designed to infect your computer. The attack uses the Redkit exploit kit to take advantage of vulnerabilities on visiting PCs in order to infect them with malware.

The Redkit exploit kit uses a PHP shell hosted on compromised websites to run its operations.

Firstly, Redkit bounces first level redirects to the next compromised server, and then malicious content delivering PDF or JAR (Java Archive) exploits are served up from a command & control server.

Sophos protects against the attack, detecting the injected malicious iFrames as Troj/ExpJS-II and Troj/Iframe-JG.

It seems clear that whoever is behind this malware attack was also being the attempt to infect computers with malware using the disguise of a news story about the Boston bombing earlier this week.

The criminals behind this attack couldn't care less that innocent people have died in Texas and Boston. Their only interest is making money by exploiting the computers of news-hungry internet users.

Don't make life easy for malicious hackers - and always go to legitimate news outlets for breaking news rather than rely upon unsolicited emails.

Thanks to SophosLabs researchers Paul Baccas and Fraser Howard, and Naked Security reader Nick Burns, for their assistance with this article.

, , , , ,

You might like

18 Responses to Warning! Hackers are exploiting Texas explosion news to spread malware

  1. Tim · 902 days ago

    I don't really get the idea of these types of posts I must say.

    I know it's a bit of a generalisation...but anyone who is a regular regular reader of this blog would not be the type to fall for scams of this type. Similarly (and conversely), the type of person that is going to fall for it would not be a reader of this blog....so what's the point exactly?

    I suppose you could argue that if you could stop just one person from clicking on a malicious email, it will be worth it.

    Personally, I think you should change the majority of your posts to cater more for IT pros who may just make up the bulk of your readership (a la posts by Paul Ducklin)

    Posts for folks who fall for obvious scams should be migrated to some kind of 21st century equivalent of the BBC public information films from the 60's & 70's.



    • Although Naked Security old-timers might be wise to these sort of tricks by the bad guys, there's plenty of new readers joining our ranks all the time.

      In fact, thousands of people arrive on Naked Security for the first time - every day. And - hey - there's really no harm in us all being reminded of the social engineering tricks used by malicious hackers, is there?

      And if you don't want to read these kind of articles, it's really no effort to skip them is it? :)

      Thanks for your comments though - they *are* appreciated.

    • MikeP_UK · 902 days ago

      Why should new readers be excluded from learning about the lowlifes who post this type of scam email? And why should Naked Security only be aimed at 'professionals' in the security field?
      ALL computer users ought to have regular access to information and advice about avoiding getting caught out by the nefarious activities of some. Plus, as the 'playing field' is constantly changing everyone should be allowed to know what is happening and be able to consider the advice offered by Graham, Paul, etc and their colleagues on a regular basis.
      I strongly believe that most readers are not IT professionals but computer users who are IT savvy and interested in the best information available to avoid their system(s) being 'fried' by malware, etc.
      So please keep the general format as it is and make all the advice available to all and readable by all. (Note that I say this as a retired electronics and software trainer who has been using computers in various forms since 1964!)

    • Ben · 899 days ago

      I see your point, but I also find these types of stories useful to share on social media, directed at those who regularly fall for these types of spam messages and links. Not to mention some of my older relatives who are pretty new to the internet.

      I also find my own curiosity answered by the posts regarding the 'what happens and how'. It's interesting to see the variety of attacks from professional to amateur cyber criminal.

  2. Curtis · 902 days ago

    These types of articles are beneficial for me as an analyst because I can keep an eye out for the new spam that's trying to get in on our environment and verify if it was dropped or not.

    I can then reach out to the individuals that did receive the emails and do additional monitoring to see if they were compromised or not.

    I appreciate articles like these and hope to see more in the future.

  3. Ann-Marie · 902 days ago

    NOT an IT person but have been using computers a long time. Have graduated to a MAC so don't have to worry as much any more but thank you keeping EVERYONE in the loop!

  4. flossie · 902 days ago

    I agree with Graham.
    Plus, having these appear in my FB newsfeed allows me to share them with people who may not be as IT savvy as the 'bulk of the readership'.
    Any making this blog more for IT pros would immediately alienate the readers who don't have that level of knowledge.
    I think these guys strike the right balance - keep up the great work!

  5. Joe · 902 days ago

    please stop confusing WACO with WEST... there is a huge difference...

  6. GaiaS · 902 days ago

    Dear Tim--
    as Graham above noted, "thousands of people arrive on Naked Security for the first time - every day."

    I myself, no nube (or is it nOObe?), stumbled here just yesterday. There is simply SO MUCH stuff out here that one would need to spend one's entire life doing nothing but clicking from link to link--which is how I got here. ;)

    I immediately signed up to the mailing list...

  7. pat · 902 days ago

    well i never came here before i saw your tweet about malware, never heard of naked security before that, so from one tech dinosaur i say thank you

  8. pat · 902 days ago

    also i find tims post very singleminded the way he thinks everybody is so tech focused as to not fall for scams, im not so sure. If yo were at home about to go down the shop for dinner and you got a warning there is a robber at the shop would yu still go to the shop, or thank the person that warned you?

  9. newbie46 · 902 days ago

    newbie here

  10. Alex B · 902 days ago

    Even as a seasoned tech pro of nearly 20 years, I think I may have fallen for this one yesterday, having followed a twitter link. Seems I may have been fortunate in that I was browsing on a non-windows tablet.

    Keep up the good work.

  11. rogabert · 902 days ago

    You are risking compromising your credibility! This happened in WEST, Texas which is NEAR Waco. The explosion happened in the little town of WEST, TX. Your headline gives the wrong impression that an explosion has happened in Waco. I enjoy your posts informing us of these type of scams and hoaxes. Its a shame something like this kinda makes you look as bogus as the scams you report on. :(

    • rogabert · 901 days ago

      Ahh, I see you've changed your headline now!! Good move, NOW it makes sense and causes no confusion. Before when you mentioned Waco my first thought was that this was an old article from way back when the Waco incident happened. Thank you for changing it!!

  12. Cissi · 902 days ago

    Thank you all for getting on Tim's case before I did.

    My friend is a computer geek and posted this to his Facebook page drawing m,e here and allowing me to now have a new source for geek news and information that will benefit me and the readers of my eblast.

  13. Beryle · 901 days ago

    I just can't fathom Tim's way of thinking. I personally run a Security/Scam Warning group on Facebook. Even though there are only 44 members, EACH and EVERY member appreciates what I post. Not only this, but I also have OVER 3,000 "friends" on my Facebook contact list. I post in BOTH places. I see more and more people falling for scams EVERY day and I alert them when I see them fall for them. As a result, I have seen some of them sign up as a result of me informing them about the scams, etc. Mind you, I am NOT an IT person (just a normal pc user like many people on Facebook. I just find myself more up to date than most people that fall for these scams. As an end note, I noticed this morning that an additional 3 people had been added to the group I mentioned earlier advising people about scams, etc. So, needless to say, the message IS starting to get through even by normal pc users (even people that haven't got much pc experience) are now starting to listen to me and my warnings. They actually RELY on my information which I get from various areas including Naked Security, Hoax-Slayer, ThatsNonsense.com, Australian Comsumer Authority (just to name a few reputable sources). I have NEVER been so informed in the past as I am now. Keep the updates coming, Naked Security, as MANY people (like myself) rely on your information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley