With the entire internet abuzz about the iCloud hacking leak – where more than a hundred celebrities had their private photos leaked online- it would certainly only be a matter of time before some enterprising cybercriminal decided that things were ripe for leveraging with socially-engineered threats. And that’s just what happened, as our scanning brought to our attention some freshly-concocted schemes targeting those looking for the photos borne from the aforementioned leak.
The first threat we found hails from Twitter, in the form of a tweet being posted with hashtags that contain the name of one of the leak’s victims – Jennifer Lawrence. The tweet spots a shortened link that, if clicked, leads the user to a website offering a video of the actress in question.
Figure 1. Tweet with malicious link
Figure 2. Website with offered video
If the user goes on to engage the playback, they are instead redirected to a download page for a ‘video converter’. The downloaded file is detected as ADW_BRANTALL.
Figure 3. Video converter download
Besides this bait-and-switch maneuver, this particular threat also spread itself on Facebook by forcing users to share the malicious site on their profiles before they are given the ability to ‘play’ the offered video. This would result in the user’s wall being spammed with the link, as well as the download of another variant of ADW_BRANTALL. The spamming is shown below.
Figure 4. Victim’s wall spammed with links
Of course, in both cases, the user does not get to watch any video at all. And from our analysis, it appears that the majority of the users affected by this are from the United States (70%).
We also discovered several malicious files floating around the internet that have been relabeled as zipped archives and/or video files of the leaked pictures in question. Again, we believe these files as part of a cybercriminal scheme to target those looking for the pictures themselves. We detect these files as variants of the following malware:
- LNK_DUNIHI. SMIX
- VBS_DUNIHI. IXG
The malware in question, specifically BKDR_FYNLOS.SMM , LNK_DUNIHI.SMX and VBS_DUBIHI.IXG have backdoor routines that may compromise the safety of the affected system. TROJ_DROPPER.JLGG, on the other hand, may drop other malware and cause the affected system to exhibit malicious routines.
With this incident in mind, it’s a good time to remind users that all popular news events – the iCloud leak being a prime example of it – will always have cybercriminals taking advantage of it in one way or another. If it’s something that you’ll use a search engine for, there’s a good chance that they’ve already created threats for it that will jump on you the moment you go looking. And do note that the threats we’ve talked about above are not the only ones lying around in wait!
Always get your online news from trusted websites, and refrain from looking for/and downloading illegal material (such as leaked private photos or cracked software). Look into installing a security solution as well, if you haven’t done so already in these turbulent times. A few fleeting moments of convenience or enjoyment is never worth the hassle.
With additional analysis from Rika Gregorio