TrendLabs received a recent spammed message that uses fake news about the death of Hollywood celebrities and famous athletes.
The spam came in two varieties—one has a .ZIP file attachment that contains the malicious file news.exe that is detected as TROJ_DLDER.AU. TROJ_DLDER.AU connects to a certain URL to, in turn, download TROJ_BREDOLAB.XY.
The other comes with an .HTML file attachment detected as JS_REDIR.BB. It leads to a couple of URL redirects which ultimately lead to the download of the malicious file HTML_REDIR.BA. HTML_REDIR.BA connects to another URL, possibly to download another malware though the said URL is now inaccessible.
Curiously, the description of the incident that supposedly killed these celebrities is based on a real incident–the 1996 death of U.S. Commerce Secretary Ronald Brown. All of the details cited in the email were identical to the crash that killed Brown. Using the details from a real-life incident may have been an attempt to make the spammed messages more convincing to readers.
Most people have a natural tendency to gravitate toward every bit of news and controversy surrounding celebrities, especially if the news has to do with their death. This has made celebrity deaths one of the most consistently used social engineering ploys for malware attacks. The attacks that use this kind of news range from spam with malware attachments to blackhat SEO attacks. Here are just some of the celebrities and popular figures that have been used for this social engineering tactic:
No sooner had the world learned of the untimely death of Heath Ledger than cybercriminals started using the late actor’s name as a social engineering ploy. Within hours of reports, malicious URLs immediately turned up when users key in the search terms “heath” and “ledger.”
Cybercriminals peppered the Internet with blackhat SEO links that were likely to attract users who were searching for news about the death of “Charlie’s Angels” star Farrah Fawcett, who at age 62, lost her battle with cancer.
Being one of the most popular music artists of all time, the King of Pop’s last moments in the hospital prior to his death, led to the proliferation of malicious links in the wild via the instant-messaging (IM) application MSN.
Spammed messages recently went around claiming that rapper Eminem died in a car crash. The spammed messages tried to trick users by claiming to come from legitimate news sources.
Other attacks seen in the past include those surrounding the deaths of Corey Haim, Brittany Murphy, and former Philippine President Corazon Aquino.
Trend Micro™ Smart Protection Network™ protects users from these threats by blocking the related spammed messages and malicious sites as well as by detecting the related malicious files.
Update as of August 26, 2010, 3:25 p.m. (UTC)
Upon further investigation, we’ve found that HTML_REDIR.BA connects to two URLs by using an IFRAME and a meta refresh tag. When using an IFRAME, the browser is not redirected to the website. Instead, it connects to the site and displays the site’s contents in the specified frame. When using a meta refresh tag, however, the entire browser is redirected to the site. The site, which the meta refresh tag redirects to, is the final landing page.