The “I’m in trouble” massive malware outbreak

A series of massive email outbreaks have been intercepted and analyzed by Commtouch Labs over the last several days with subjects like “Need your help!” and “I’m in trouble,” containing links that lead to malware downloads. They are being spammed around the world at rates of hundreds of thousands of messages per day.  

Many Facebook and email scams in the past have used the “help I’m in trouble” theme to induce recipients to send them money, and now malware distributors have apparently decided to try a similar tactic. This time, however the risk of answering the call of the damsel in distress isn’t that you will send a complete stranger thousands of dollars, but that you will infect your computer with malware.

The messages vary, but the goal is the same, to distribute more and more malware to unsuspecting end-users through a hyperlink within the email message. These URLs are primarily hosted on sites that are legitimate but have been compromised. The vast majority of the sites use WordPress, an open source blogging and Web site content management solution (sorry WordPress, we love you…). WordPress has a vast ecosystem of plugins that enable various additional functionalities on sites, which makes it highly user-friendly for even the least experienced Webmaster. However with these plugins comes a certain amount of risk – each plugin is developed by an independent developer, with no centralization; each plugin has its own security updates, and its own vulnerabilities. Inexperienced Web site owners may not update all of their plugins (or WordPress itself) on schedule, leading to holes that can be exploited to place third-party content on unsuspecting Web sites. Often the content placed on the site is not malicious in and of itself, so it may be difficult to detect even when doing a scan of the site. Typically the link within the email will lead to a script hidden on the compromised site that simply redirects to the malicious web page.

Yesterday’s top subject line in this outbreak was “Need your help!” and led to a message with this content:

——-

Hello! Look, I’ve received an unfamiliar bill, have you ordered anything?
Here is the bill [malware link]

Please reply as soon as possible, because the amount is large and they demand the payment urgently.

Looking forward to your answer

——-

However today the message evolved to a new subject line: “Fwd: I’m in trouble!” with the body text sounding even more urgent than the previous one:

——–

I was at a party, got drunk, couldn’t drive the car, somebody gave me a lift on my car, and crossed on the red light!
I’ve just got the pictures, maybe you know him???
Here is the photo [malware link]

I need to find him urgently!

Thank you

[sender’s name]

———

The messages look innocuous enough, and even have what looks like a security code (or hash) at the bottom of the message, which makes it look even more real. A recipient might think this indicates it was scanned by an antivirus engine. But if you mouse over the hyperlink, you can see that it’s a long, ugly link with lots of random characters, which should be a big red flag indicating DON’T CLICK!

Incidentally, it’s the same family of malware outbreaks as recent celebrity James Cameron outbreak, and that yummy pizza malware, both of which we reported on