It’s tough being a malware distributor – you can’t exactly go around asking people to install your malware – you need to be creative. So a global newsstory such as the election of Pope Francis is too good an opportunity to pass up.
The attack, launched a few days after the white smoke cleared, is based on large amounts of emails from “CNN Breaking News†with subject lines such as:
- Opinion: Family sued new Pope. Exclusive!
- Opinion: New pope tries to shake off the past
- Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases?
The second part of the attack relies on hacked websites that redirect to sites hosting the Blackhole exploit kit.
- The kit, reportedly available for rent, allows its controller to set up a drive-by malware website.
- Recipients of the pope email who click on the links will visit one of the webpages set up with Blackhole.
- The JavaScript on the page scans the visiting system to determine the versions of popular and operating system software such as Adobe Flash, Adobe Reader, Java, Windows, and browsers.
- Once the kit has determined that there is vulnerability – for example, in an older version of Adobe Flash found on the visiting system – the relevant exploit is loaded allowing the controller to gain a foothold on the infected system.
- Finally the Blackhole controller, having gained control of the visitor, can now deliver further malicious content. This could include a wide range of badware such as fake AV, ransomware, or logging software to steal banking and Web credentials. Brian Krebbs has a neat summary of all the bad things malware can possibly do nowadays.
For those not interested in the goings on in Rome, the spammers also sent out emails “from†the BBC offering more details about the financial bailout in Cyprus.
Note that, in both cases, the email senders and the malware distributors may not be the same gangs – in this case the spammers receive affiliate revenue from any traffic they successfully direct to the sites hosting the Blackhole kits.
Best defense against this sort of drive-by Web malware is updated/patched version of Windows, Flash, Adobe Reader, and Java. And of course go to the actual websites of CNN and the BBC for genuine news stories.