By Dave Michmerhuizen – Research Scientist
An appeal to curiosity is a favorite trick of spammers looking for clicks. When a tragedy occurs and people are consumed by the story, the worst sort of spammers crawl out of the woodwork and take advantage of a sad situation. Barracuda Labs honeypots are seeing a steady stream of malicious spam that shamefully pretend to offer information about the recent Boston Marathon bombings.
This sort of spam – just a link to a page hosted on an IP address – should ring warning bells right away. It should serve as an object lesson in why you should never click on unsolicited email links no matter how curious you might be about what they offer.
A number of different IP addresses have been used for these spammed links. Visiting one lands you on a page that shows a number of youtube video previews. A suspicious person might think these are bogus, but in fact they are real and you can even watch them. The videos are there to distract you from what is really happening to your computer.
The page with the video previews also contains an iframe – an HTML sub-window – and behind the scenes that iframe loads a URL from a compromised website.
The URL at the compromised site is exploit code that sends a Java exploit to the browser that ultimately results in a malware download.
This spam attack is fast-moving, with new links being thrown into rotation as old ones are taken down. The malware pushers have no shame and no mercy, so it is imperitive to keep your guard up. Stay away from links that arrive out of nowhere and limit your news consumption to reputable outlets.