Once again, cybercriminals are leaping at the opportunity to take advantage of breaking news stories to spread malware.
The latest example, coming just days after malware authors exploited interest in the Boston Marathon bombings, concerns the fatal explosion in the small community of West, Texas, of a fertiliser plant.
Here’s an example of one of the malicious emails intercepted by SophosLabs, with the subject line “CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas”.
Other messages have been seen using the subject line “Raw: Texas Explosion Injures Dozens”.
Clicking on the link contained inside the emails takes unsuspecting computer users to a webpage that contains a series of embedded YouTube videos.
Harmless enough, you might think. However, the webpage also contains a 640×360 pixel iFrame, that attempts to suck in malicious content from another site, designed to infect your computer. The attack uses the Redkit exploit kit to take advantage of vulnerabilities on visiting PCs in order to infect them with malware.
The Redkit exploit kit uses a PHP shell hosted on compromised websites to run its operations.
Firstly, Redkit bounces first level redirects to the next compromised server, and then malicious content delivering PDF or JAR (Java Archive) exploits are served up from a command & control server.
Sophos protects against the attack, detecting the injected malicious iFrames as Troj/ExpJS-II and Troj/Iframe-JG.
It seems clear that whoever is behind this malware attack was also being the attempt to infect computers with malware using the disguise of a news story about the Boston bombing earlier this week.
The criminals behind this attack couldn’t care less that innocent people have died in Texas and Boston. Their only interest is making money by exploiting the computers of news-hungry internet users.
Don’t make life easy for malicious hackers – and always go to legitimate news outlets for breaking news rather than rely upon unsolicited emails.
Thanks to SophosLabs researchers Paul Baccas and Fraser Howard, and Naked Security reader Nick Burns, for their assistance with this article.