No sooner had the world learned of the untimely death of Heath Ledger (Brokeback Mountain) than malware authors started using the late actor’s name as a social engineering ploy. Within hours of these reports, Research Project Manager Ivan Macalintal discovered a couple of malicious URLs that turn up when users key in the search terms “heath” and “ledger”:
This is very similar to the poisoned Google searches reported last Christmas. If a user clicks on any of the links, he is led to the following SEO (search engine optimization) keyword-riddled page:
However, the user doesn’t even get to see this, as this page automatically redirects to another site. This site requires the user to download a “new version of ActiveX Object.” As expected, this is just the beginning of a series of redirections that end in the download of different malicious files (like TROJ_RENOS.LZ in one infection chain, and WORM_NUCRP.GEN in another).
Piggybacking on newsworthy events is not new. A month ago, malware authors also jumped on the assassination of Pakistan Prime Minister Benazir Bhutto. In this case, malware authors simply used news of Ledger’s death to jumpstart massive redirections as they know many people are wont to do searches on this hot news item.
Communication with Czech CERT has already been initiated by our analysts to properly inform affected parties in this massive hacking incident.
Information and screenshots provided by Ivan Macalintal and Threat Response Engineer Maersk Menrige
Write-up updated by Ma. Christina Cruz