Malware infected (Cyprus Crisis) emails arriving, as predicted on Sunday
March 19, 2013
Two days ago, on Sunday afternoon, 3/17/2013, I wrote about two email scams that I intercepted, which contained malicious code in their attachments. At that time I predicted that we would see a flurry of malware laden messages this week. It is happening right now.
Today alone, I have analyzed 7 more email scams, all of which either contained malware attachments, or had links to online exploit kits. The last two, at the time of this article, are worthy of me writing about them, to warn my readers against clicking on the links they contain.
I am referring to a new scam that forges the BBC as the sender, claiming that a friend asked for it to be sent to (you). It has language describing an ongoing crisis in Cyprus and contains links pretending to go to the BBC article about this matter. Instead, they take you to the Blackhole Exploit kit.
Here are some of the pertinent details to watch out for...
Subject: BBC-Email: Several countries' deposits may be excluded from Cyprus Bank Tax, Why? We got a draft.
Body text (Visible portion):
Hazel Moon saw this story on the BBC News website and thought you should see it.** Several countries' deposits may be excluded from Cyprus Bank Tax, Why? We got a draft. **Cyprus can amend terms to a bailout deal that has sparked huge public anger....http://www.bbc.com/go/em/news/world-europe-00184647 >** BBC Daily E-mail **Choose the news and sport headlines you want - when you want them, allin one daily e-mail http://www.bbc.co.uk/email >** Disclaimer **The BBC is not responsible for the content of this e-mail, and anything written in this e-mail does not necessarily reflect the BBC's views or opinions. Please note that neither the e-mail address nor name of the sender have been verified.If you do not wish to receive such e-mails in the future or want to know more about the BBC's Email a Friend service, please read our frequently asked questions here
The bold portions are obfuscated links leading to a compromised website, where you are instantly redirected to a Russian server. There, the Blackhole Exploit Kit attacks your browser for any exploitable software that might be installed. The code begins with: applet code="hw" archive="/kill/larger_emergency.php?hgpw=codtpl&srjxxyhz=cayporkq" and continues with a huge long line of obfuscated numeric entities, ending in a malicious script being run against your web browser (<script>zz=eval;</script>).
The payload is usually a hostile Java Applet (as seen in "applet code" above), whose purpose is to install a backdoor downloader onto your computer. This downloader will then download Trojans and remote control software, making your computer a zombie member of a botnet. The Trojan it downloads may steal your online banking credentials, or lock up your computer until you pay a ransom.
The thing that makes this type of scam believable is that I just read an actual Fox News alert about this very situation. It said: "Cyprus lawmakers vote down European Union-mandated seizure of bank deposits to fund a bailout of the country"
Knowledge of these ever changing social tricks employed by cyber criminals should get your scam detectors up and running. If you receive an email such as the one I just described, delete it on sight. If you want to read news reports about crisis' just go directly to your favorite online news website, without clicking on any links contained in shady emails.
You can also detect spoofed links by hovering your mouse pointer of them, without clicking. The actual link destination will appear on the bottom of your email client or (webmail) browser, in a status bar. If the visible text says bbc.(com|co.uk), but the hovered over status bar readout says something like "golubevod.org.ua" or "absolutionpw.ru" - don't click on the link!
I hope this helps save somebody's day from a malware attack.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.