Nimble spammers exploit Boston bombings, Texas disaster

Spammers have always been quick to exploit avid interest in news events to capture eyeballs for their junk, but this week really tested their nimbleness.

They mounted a massive spam campaign following the bombings at the Boston Marathon on Monday, then turned on a dime later in the week when an explosion at a fertilizer plant in West, Texas jumped to the top of the news queue.

A single spam gang that specializes in capitalizing on news events is behind the Boston and Texas spam campaigns, according to Henry Stern, a threat researcher with Cisco in San Jose, Calif.

[See also: FTC crackdown on text spammers highlights business threat]

"This is a gang that does this quite often," he said in an interview. "They're trying to get new recruits for their botnets."

Botnets are networks composed of "zombie" computers whose control has been captured by a "botmaster." Once under the botmaster's control, the zombie net can be used for a variety of purposes including sending out spam.

The spammers launched their Texas campaign even as they continued their Boston one, Stern explained.

"They found a bunch of new YouTube videos, wrote eight new subjects for their emails, and they just changed their root page and out it went," he said. "They were very quick to do that. It shows they're paying attention to the news and figuring out what people are interested in in order to exploit that curiosity.

"It only took them a matter of hours to push that spam out," he added.

Spam from both campaigns contain a link to a page created by the gang and containing videos of the respective tragedies.

At the bottom of the page is an iFrame. iFrames allow content from one website to be displayed on a web page of another's. They can be invisible to someone viewing a page, as is the case with the spammer's page.

When net surfers land on the page of videos, botware is pushed to their computer through the invisible iFrame without their knowledge.

Boston bombing spam was strong throughout the week, according to Loredana Botezatu, a spam threat analyst with Bitdefender in Romania. Twenty percent of the spam samples captured by Bitdefender have been related to the bombings, she noted.

Maintaining those volumes over an extended period time is impressive. "Imagine that a lot of these domains [used by the spammers] have been shut down in the meantime, and they are still resourceful enough to keep going for it," she said in an interview.

She maintained that a variety of malware is being pushed by the Boston campaign. "They're trying to take advantage of the unpatched vulnerabilities in Java," she said.

Earlier this week, Oracle issued a "critical" update to Java -- one of many in recent weeks -- to address security vulnerabilities in the programming language. However, that's unlikely to deter digital desperadoes from continuing their activities, according to Botezatu.

"Spammers and malware criminals are very resourceful, and there are lots and lots of exploits and vulnerabilities that they use," she said.

Botezatu explained that the Boston spam pushes malware to machines that scans them for multiple vulnerabilities to exploit.

"They're very focused," she added, "They want to infect many machines."

Security experts warn users not to open links in suspicious emails to avoid being snared in traps set by spammers like those exploiting the news events in Boston and Texas.

"People know, for the most part, not to do that," Troy Gill, a senior security analyst with AppRiver in Gulf Breeze, Fla. said in an interview. "But sometimes, I think, our emotions get the better of us, and these are certainly emotional stories."

Read more about social engineering in CSOonline's Social Engineering section.

Join the CSO newsletter!

Error: Please check your email address.

Tags SpammersapplicationsData Protection | Social EngineeringbotnetsciscosoftwareBoston Marathon bombingdata protectionyoutube

More about CiscoFTCOracleWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place