So I’m minding my own business when out of nowhere and into my inbox I get a message from my CudaPal Luis. “Christine, check this out …”
What you see there is Luis’ screenshot of an email that he is tracking with the Barracuda Real-Time System (shown in the background to the left). This email impersonates Eubank Funeral Home, and attempts to trick a reader into downloading information about the funeral of a friend. The poor reader either recognizes this is a scam and acts accordingly, or he falls for the scam and ends up exactly where the attacker wants him to be. And believe me, that ain’t no funeral home website.
Here’s the text of the message that Luis found:
For this unprecedented event, we offer our deepest prayers of condolence and invite you to be present at the celebration of your friends life service on Thursday, January 17 2014 that will take place at Eubank Funeral Home at 11:00 a.m.
Please find invitation and more detailed information about the farewell ceremony here.
Best wishes and prayers,
Funeral home receptionist,
The “here” link takes you to a website that offers a malware download. The download will install a trojan that will connect the infected device to the Asprox botnet. Like any other trojan, it may also download and install additional pieces of malware that do other bad things. This download is a zipped executable for Windows machines, or an .apk file for Android devices.
A similar message published by Tech Help List shows that there is some variation in the name of the funeral home and the message content:
The Amos Family
Hereby we want to share your sorrow for your dear friend who passed away on Friday, January 10, 2014.
You are cordially invited to express your sympathy in memory of your friend at a celebration of life service that will be held on Monday, January 13, 2014 at the Ocker Funeral Home, Arkansas.
Please find more detailed information about the memorial service here.
Funeral Home Secretary,
The emails are coming from legitimate but presumably compromised domains. So far we haven’t seen any domains that actually belong to funeral homes.
This scam is similar to another campaign in which attackers sent “wedding invitations” rather than “funeral announcements.” (Seems like there’s a joke in there somewhere)
The website with the malware appears to be offline at the moment. But if this attack was in any way successful, you can be sure that it will be back.
Learn more about our research on our Barracuda Labs blog.