Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Cyril Coronado (Anti-Spam Research Engineer)




    Since the first official announcement in early December last year, the world has eagerly awaited for the birth of the firstborn child of Prince William and Kate Middleton. After months of anticipation, the Duchess of Cambridge has given birth to a son, the new Prince of Cambridge, a couple of days ago.

    But amid the celebrations, an old threat resurfaced. We spotted spammed messages related to the royal baby birth. The speed of these messages is remarkable, considering the official announcement was given July 22nd at 4:24pm (BST).


    Figure 1. Sample spam email about the royal baby

     


    Figure 2. “Royal Baby” related threats started appearing half a day after the official announcement

    These messages appear to be from ScribbleLive, a service that provides real-time engagement platforms. The offer, of course, is false, and clicking on links in the email will only trigger multiple redirections that are typical among Blackhole exploit kit (BHEK) spam runs. BHEK is a page that cybercriminals use to determine what software versions are used by a victim so that the page can deliver the “correct” exploit.

    In this case, the script that triggers the redirections is detected as JS_OBFUSC.BEB. Based on initial reports, US, Japan, and Australia were the top countries that accessed the final URL in the infection chain. As more users from the UK go online during their morning, looking for news about the royal baby, we can expect to see more infection hits from this area.


    Figure 3. More than half of the hits came from the US

    Exploit kits such as the Blackhole Exploit Kit offers cybercriminals great convenience in terms of deploying spam runs. It becomes much easier for them to modify the different aspects of a spam run: its social engineering lure, the exploits it uses, and its payloads.

    These social engineering lures often come in the form of recent events, such as the Boston Marathon incident and the election of Pope Francis.

    This particular BHEK run is not limited to the royal baby alone. Other spammed messages took advantage of the controversy surrounding the upcoming sci-fi film Ender’s Game. While these messages are made to look like an article from CNN, clicking on links will trigger the same redirections as that of the royal baby spam.


    Figure 4. Sample spam email about Ender’s Game

    Additional analysis by Maela Angeles and Ruby Santos

    Update as of July 25, 8:00 PM PDT

    We have found another spam run using this theme. This one pretends to be a CNN news story discussing what the US president would give as a gift to mark the birth:

    Figure 2: Fake CNN news report

    The exploit kit code is detected as JS_OBFUSC.BEB, with the Java exploit detected as JAVA_EXPLOYT.RO. This particular exploit targets two vulnerabilities in Java: CVE-2013-1493 and CVE-2013-2423. Both of these vulnerabilities have been patched by Oracle. The ultimate payload is a Trojan detected as TROJ_MEDFOS.JET.

    Additional analysis by Hadden Xiao, Mark Tang, Mark Aquino and Adrian Cofreros

     
    Posted in Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice