Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Royal Baby as a threat lure

Jason Hill | July 29, 2013
Big events often mean big opportunities for cyber thieves to find victims who don't think twice about clicking for the latest news updates.

Who could have missed the big news last week—the Duke and Duchess of Cambridge are now the proud parents of a baby boy and future heir to the British throne. While they revel in the joy of being a family, cyber-criminals have predictably been busy delivering various malicious campaigns in order to piggyback on the news. 

The Websense ThreatSeeker Intelligence Cloud has been tracking malicious cyber-campaigns that started in the hours following the official announcement that the Duchess of Cambridge was in labour.

The campaigns detected so far are utilising email lures, which either redirect unsuspecting victims to Blackhole Exploit Kit URLs or, indeed, provide malicious attachments in the form of Windows SCR files in an attempt to dupe users. These kinds of threats are often launched when topical or global news stories develop. We'll step through both current campaigns in order to relate them to our seven stages of advanced threats and will detail how they propagate, as well as illustrate that the kill chain leading to malicious content breaks if any one link breaks.

Stage 2: Lures
In this latest example of a malicious campaign that takes advantage of users' thirst for news, we detected and stopped over 60,000 emails with the subject "The Royal Baby: Live Updates" (including quotes) that were mimicking a ScribbleLIVE/CNN notification and encouraging victims to "catch up with the latest."

Clicking any of the links in this lure email resulted in the victim being led to the same malicious redirect URL. This is similar to a recent campaign that used topical events in email lures (the Fox News-themed Malicious Email Campaign).

A different campaign, using multiple lures containing malicious attachments has been detected in lower volumes with enticing subjects designed to pique interest and encourage victims to open the message:

  • Amazing, incredible share! Follow our leader, share it!
  • Royal Baby: Diana, Charlotte or Albert
  • Royal baby in fantastic picture!

In addition to varied but Royal Baby-themed subjects, the message bodies encourage victims to open the attached "image," although the file, itself, is a malicious binary used to contact command and control (C2) infrastructure and download further malicious payloads.

Should you receive any email news alerts or unsolicited messages regarding topical events, be sure that the message is legitimate before clicking any links or downloading any attachments. It is unlikely that reputable news agencies will send unsolicited email, and, therefore, any unexpected message should be treated with caution.

By their very nature, lures rely on human curiosity and our thirst for knowledge. In addition to needing an integrated security solution that is able to detect and protect against lures, be they delivered via social web or email, users need to also be educated to be wary of unsolicited links or messages and to consider visiting reputable news sites directly to gain the latest information.


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.