This past weekend a couple of spam-based malware attacks caught my attention:
I was alerted to the first one via one of my favorite security blogs: Gary Warner’s Cybercrime and Doing Time. (Although his posts have decreased in frequency this year, they’re well worth reading when they do come out.) He largely focuses on spam, and his latest post (6/25) discusses a large malware-spam campaign.
One interesting aspect of the attack that he mentioned was a sneaky iFrame that linked to a domain hosting an exploit kit (motorssmonito.com). Exploit kits are something we try to pay close attention to, so I checked the WebPulse logs to see how many of our users had attempted to visit the exploit server…
As it turned out, even though this was a big spam campaign (more than 60,000 e-mails in their honeypots), only two WebPulse users had their brower request the exploit link. I thought, "Great! I can write a blog post congratulating our users on being too smart to fall for a malware spam!"
But, when I checked the logs for traffic to the main domain, there were 247 instances of users who had clicked the spam link and headed there. (Apparently, not all visitors were served the malicious iFrame; I’m not sure what else would explain the drop-off in traffic from the main spam domain to the exploit server domain.)
The good news for WebPulse users is that both attempted visits to motorssmonito.com were dynamically flagged as Malware by WebPulse (via its Background Checker module).
The other malware-spam attack was one I noticed in my own honeypots. Here is the first example. Thematically, it’s a twist on a recent spate of NACHA and IRS spam (see the fake "from" address, and the link to the Federal Reserve).
I thought it was interesting that they misspelled different words in different places (e.g., "information" in the subject line, and "published" in the e-mail body). I also wondered why on Earth the spammers thought that I would believe that the Federal Reserve would be e-mailing individual users about their Facebook data being compromised. I mean, I can maybe see the Fed being interested in compromised banking data (though even that’s a stretch), but Facebook?!?
Anyway, here is the second example, different mainly in that the fake "from" address is Facebook, not Nacha:
In both cases, the "click here" link resolved to a domain named personal-web-security.org, for a file called published-information.exe. When I first searched the WebPulse logs for personal-web-security.org URLs, I didn’t find any hits. Once again, I thought "Great job, users! Way to not take the bait! I’ll write a congratulatory blog post in your honor!"
Unfortunately, I realized I had run the search on the wrong day’s logs. (And, like most malware-spam attacks, these spams had all come in one day.) When I switched to the correct day, the users didn’t fare as well: the WebPulse logs showed 42 potential victims who clicked the link to ask for the .EXE file.
Fortunately, all 42 requests were dynamically flagged by WebPulse as Suspicious, as the payload set off too many warning bells, but still, come on people! Quit clicking on stuff in obvious spam e-mails!
Leave a reply