Cyber Criminals Exploiting the Boston Marathon Aftermath [UPDATED]
Posted by Jason Hill on 17 April 2013 05:02 PM
While the world recoils in shock at the horrifying events at Monday's Boston Marathon, cybercriminals are actively seeking to exploit people's thirst for information and eagerness to help those affected by the attacks.
Let's follow this campaign through the 7 Stages of Advanced Threats (as explained in our whitepaper) to see how cyber-criminals attempt to dupe and compromise users and their machines. We'll also show that breaking any one link in the chain can protect potential victims.
Stage 1: Reconnaissance
This campaign, like many other topical or event-based campaigns, attempts to propagate as widely as possible, rather than being directed at specific individuals or organizations. Given this, those behind the nefarious campaign simply have to identify a news story with global appeal (in this case, Monday's events), and then propagate their lure to as many people as possible.
Stage 2: Lure
Preying on human curiosity, in particular after a significant event, the lure is designed to get as many victims onto the hook as possible. In the email campaigns being monitored by Websense® Security Labs™, the email subjects have been designed to suggest that the message contains information or news regarding the events:
The message body itself, in most cases, contains a single URL in the format http://<IP Address>/news.html or http://<IP Address>/boston.html with no further detail or information. At this point, the recipient is lured to click on the malicious link, which ushers them on to stage 3.
Stage 3: Redirect
Having clicked the link, the unwitting victim is presented with a page containing YouTube videos of the horrific events (intentionally obscured below) while an iframe redirects them to an exploit page.
Stage 4 - Exploit Kit
Based on an analysis of a sample set of the malicious URLs seen in this campaign so far, the RedKit Exploit Kit has been used to, in our case, exploit an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422) in order to deliver a file onto our analysis machine.
Stage 5 - Dropper File
Rather than using a dropper file, which contains the malicious code within itself and often packed to prevent detection by antivirus signatures, this campaign uses a downloader belonging to the Win32/Waledac family which is used to download further malicious binaries. In this case, two bots named Win32/Kelihos and Troj/Zbot are downloaded and installed on the compromised machine in order to join it to the cyber-criminals' bot network.
Stage 6 - Call Home / Stage 7 - Data Theft
Once the compromised machine is under the control of the cyber-criminal, the bots call home, which allows remote commands to be issued and for data to be sent and received. Common abuses of a compromised machine include data collection and exfiltration, such as the theft of financial and personal information. Other abuses include the sending of unsolicited email or the unwilling participation in Distributed Denial of Service attacks.
Websense customers are protected by ACE™, our Advanced Classification Engine, against cyber threats of this nature. In addition to blocking lures at stage 2 before they reach end-users, access to malicious destinations throughout stages 3 through 6 are denied which, combined with data loss controls to protect against stage 7, help to ensure that your data stays where it belongs and not in the hands of an attacker.
Thursday, April 18, 2013:
The campaign quickly evolved to match the latest news from the Texas fertilizer plant explosion.
The emails are similar, but use texas.html instead of boston.html path.
Subjects lines include:
The lure pages have updated titles, but the rest is similar:
Websense Security Labs will continue to monitor this campaign.
Read more »