As rescue efforts continue in Haiti, the world waits with bated breath for more good news about survivors. Unfortunately, while most people are thinking of ways to help victims, cybercriminals are using the tragedy to further their own malicious causes. Blackhat search engine optimization (SEO) poisoning attacks related to this tragedy have already led to FAKEAV infections.
However, the most recent FAKEAV run appears to be only the start of more Haiti-related malware attacks. We recently received Portuguese spam samples purporting to be from the international news site, BBC. Translated to English, the spammed message describes the current situation in Haiti. It also attempts to convince recipients to click the link to the embedded video, which supposedly contains photos taken by an amateur photographer who witnessed the earthquake.
Upon clicking the link, however, users are redirected to a site where they are asked to save an .EXE file detected by Trend Micro as TROJ_BANLOAD.JAE. This Trojan connects to websites to download another malicious file detected as TSPY_BANKER.LMG.
This is a good reminder of how spammers will do anything to make their spammed messages appear legitimate. It is thus important to check for data consistency so as not to fall into their trap. In this case, if the video truly contains photos of the aftermath, then there is no need to download or execute an .EXE file. Users are thus advised to exercise caution when opening messages, particularly those that come from unknown senders.
Trend Micro™ Smart Protection Network™ already protects users from this attack by detecting and blocking the spammed messages, preventing user access to malicious sites, and blocking the download of the malicious files.