No less than a day or so after we discovered the spam campaign taking advantage of the Boston Marathon bombing, we came upon yet another spam campaign, very similar to the previous one except this time it uses the Texas fertilizer plant explosion as a lure. The fertilizer plant explosion occurred a mere few days after the tragedy in Boston, with 35 suspected dead and more than 160 people injured.
What’s disturbing about the discovery of this particular campaign is that not only does it come hot on the heels of the previous one, but the fact that they seem eerily similar to each other. Upon further analysis, we’ve discovered that the malicious URLs that the spammed mails link to have identical structures, right down to the domains. Even their spammed mails are similar to each other.
Fig 1. The Boston Marathon explosion spammed email
Fig 2. Texas plant explosion spammed email
The only thing distinguishing them from each other was the document file name that the URL lead to – i.e. one URL from the Boston spam campaign lead to “boston.html” while the one from Texas lead to “texas.html”. It was as if the cybercriminals chose to capitalize on the latest tragedy by simply switching names. The malicious URLs, of course, lead to exploit landing pages that could compromise an affected user’s system.
We’ve also noted certain Twitter accounts spreading links using keywords related to the MIT shooting in Boston. These links redirect users to various websites of dubious reputation (most adware or spam-related). Though we have yet to see these links redirect to any malware-hosting website, users must still be cautious with their social media activities.
Figure 3. Tweets leading to various dubious sites
What does this tell us? It’s simply more proof that cybercriminals view such tragedies as fodder for their socially-engineered threats. As morally deplorable as it sounds, incidents like these can be opportunities for them. The speed and audacity in which they attempted to capitalize on both events happening should be quite the wake-up call for those of us still skeptical of how cybercriminals operate.
Users are therefore advised to keep vigilant, moreso in times of tragedy, with the knowledge that a cybercriminal is always on the lookout for his next lure and his next victim.
Keep in mind the following practices whenever such an event occurs:
- Never click on or open any suspicious mails that seem to be from suspicious sources.
- Never click on links or attachments from those suspicious emails.
- Never rely on search engines for specific news items, go to your bookmarked news websites directly instead.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.