- Category: August 2013 - Data Protection & Security
Last month, all media channels reported on Kate and William waiting for the arrival of their firstborn child. Finally, the Prince of Cambridge was born last week and the security expert firm, Trend Micro, started to report about spam messages that made use of the hype and were sent out amazingly fast amid the celebrations - only half a day after the official announcement.
The faked messages appear to be from ScribbleLive, a company that provides real-time engagement platforms. The emails offer a baby watch live blog and try to take advantage of people‘s curiosity. However, clicking on links in the email will only trigger multiple redirections that are typical among Blackhole exploit kit (BHEK) spam runs.BHEK is a page that cybercriminals use to determine what software versions are used by a victim so that the page can deliver the “correct” exploit.
Cyril Coronado, anti-spam research engineer at Trend Micro, explains that the script that triggers the redirections is detected as JS_OBFUSC.BEB. Based on initial reports, US, Japan, and Australia were the top countries that accessed the final URL in the infection chain.
Exploit kits such as the Blackhole Exploit Kit offers cybercriminals great convenience in terms of deploying spam runs, as it makes it much easier for them to modify the different aspects of a spam run: its social engineering lure, the exploits it uses, and its payloads. These social engineering lures often come in the form of recent events, such as the Boston Marathon incident or the election of Pope Francis.
This particular BHEK run is not limited to the royal baby alone. Other took advantage of the controversy surrounding the upcoming sci-fi film Ender’s Game. While these messages are made to look like an article from CNN, clicking on links will trigger the same redirections as that of the royal baby spam.
Maela Angeles and Ruby Santos at Trend Micro also found another spam run using this theme a couple of days later. This one pretends to be a CNN news story discussing what the US president would give as a gift to mark the birth:
The exploit kit code is detected as JS_OBFUSC.BEB, with the Java exploit detected as JAVA_EXPLOYT.RO. This particular exploit targets two vulnerabilities in Java: CVE-2013-1493 and CVE-2013-2423. Both of these vulnerabilities have been patched by Oracle. The ultimate payload is a Trojan detected as TROJ_MEDFOS.JET. (Source: http://blog.trendmicro.com)