Spammers have launched two new botnets, using the Texas fertiliser plant explosion and the Boston Marathon bombing to initiate spam campaigns. Capitalising on the attention the tragedies gained, they have created two major spam botnets to flood users with e-mails that claim to lead to videos of the incidents.
In an e-mail advisory, Dell SecureWorks warned that the Kelihos and Cutwail botnets started spreading spam e-mails – titled “Boston Explosion Caught on Video” and “Aftermath to explosion at Boston Marathon” – on 16 April. Those who open the links enter a website that compromises their system through the Redkit exploit kit and installs malware, including ZeroAccess Trojan, which mines BitCoins.
In an interview for eWEEK, Dell’s senior security researcher Brett Stone-Gross pointed out that the size of the campaigns was considerable as the Boston attack was used by two different botnets at the same time.
According to Cisco, spammers registered several domains a day before the e-mail attack began, right after the Boston bombing, and by 17 April the campaign accounted for 40% of all spam seen by the company.
The content of the spam e-mails comprises a simple link to a website “boston.html” at a specific IP address, TrustWave said. When users click on the fraudulent link, they land on a website with videos where invisible iFrame links load in exploits for Java. If the exploits are successful, the computer gets malware installed on it. The malware communicates with Russian servers, which is a common practice for cyber-criminals.