« Malware scammers exploiting Boston bomb tragedy by email | Blog Home | Pump and Dump Stock Scam of the Weekend: SCXN »

Bookmark and Share

Boston bombing email scams morph into Waco explosion scams

April 18, 2013

In the early hours of April 17, 2013, I published an article detailing an email scam using the Boston bombings as the lure to attack computers with malware. Today, that scam has switched to referring to the fertilizer plant explosion in Waco West, Texas, in the evening of April 17. The links and landing pages are the same as yesterday's.

In today's email attacks, the Subjects have been changed to refer to the Waco explosion in this fashion:

Waco Explosion HD

CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas

Raw: Texas Explosion Injures Dozens

Runner captures. Marathon Explosion

The message bodies still only contain a numeric hyperlink, in plain text. The format of these links is as follows (deactivated for your safety):

h**p://95.87.6.156/news.html

All of today's links have 4 part numeric IP addresses, followed by "/news.html" as of this writing. But, that file name has been changed to "/texas.html" in some recent messages.

As in yesterdays malware attack pages, these numeric IP links all land on a compromised computer or device in the former Soviet Union. They all contain several large iframes containing YouTube videos of the fire and sudden explosion at the fertilizer plant in Waco, Texas. And, as in the previous attacks, there is an iframe on the bottom of those pages that displays an error message, such as: "Error, please try again later."

What you wouldn't see in the last iframe is the Java Applet being called from another compromised computer. It's code embeds a hostile .jar file, a file type used specifically by Java Applets. Those .jar files are containers, much like zip files, which are expanded by Java. They then run the routines inside their configuration file to probe your web browser and operating system for the presence of Java. If you have Java installed and it is not the absolute latest patched version (against the attack code routines in the .jar file), your computer or device may be taken over by this malware downloader.

What you should know

Almost all of the current malicious exploit kits, like the Blackhole, target Java before anything else. That is because Java is installed on billion of devices World wide, often unbeknownst to the owners of those devices. Sometimes, Java gets installed when one visits a web page that uses Java Applets for interactive games and presentations. It is also installed with OpenOffice, from Apache and is needed to control the database and some other functions. Often, by the time OpenOffice is updated with a new version of Java, exploits for its existing version have been in the wild for months.

If you need Apache's OpenOffice, but don't visit web pages requiring Java, you should disable Java content in your browsers. The latest versions of Java, available since early 2013 have a security tab in the settings box, which one can uncheck (and apply) to disable Java in all browsers installed on that computer. This eliminates the browser as an attack weak link.

If you must have Java in a browser to interact with certain important web sites, or software applications that run in a browser, I recommend using a different browser for just those sites or apps and not browsing to any place else with that browser. It should not be your system default browser. That way it won't automatically open when you click on a link in say a .pdf file someone sends to you, or from a poisoned link in an email scam.

After setting up one browser to use a Java Plug-in, you need to manually disable Java in any remaining browsers. This is usually managed via your browser's Options, under such items as "Add-ons," or "Extensions," or "Plug-ins." Absolutely do this to your "default " browser.

Java is a powerful technology that can be used for good things, but nowadays it is more often exploited by bad guys than used on legitimate web sites. So, unless you know that you must have Java installed and take precautions to minimize your exposure to Java exploit kit attacks, I recommend uninstalling all instances of it. Windows users can easily find and uninstall Java through the Windows Control Panel. For Windows XP users, look for the icon labeled "Add/Remove Programs." For Windows Vista, 7 and 8, click on Programs (and Features), then "Uninstall a program." Scroll down alphabetically until you see Java anything and begin uninstalling them until there are no more instances. When the last and most recent version is gone, so will be its Control Panel icon. Now reboot your computer to flush out any Java instances that may have been active in a browser or in memory.

Finally, as I have said before, Learn to operate your computer with less than Administrator privileges! A Limited, or Standard User account on Windows is harder to take over by an exploit attack kit than one running with Admin rights. You have to jump through a couple of hoops to install programs that affect the operating system directories, or Program Files. Administrators can be infected without notice by cleverly coded malware routines. I have published three articles or web pages explaining how to operate with reduced user privileges and how this protects your computers: [1] [2] [3]

Bookmark and Share  

Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.

Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by
Movable Type 4.38

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security and combating spam. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

We are hosted on Bluehost and couldn't be happier!

Fight website spammers