?

Log in

No account? Create an account

Previous Entry | Next Entry

Malware attacks after the Boston bombing

Yesterday, in the wake of the bombings in Boston, I received an email that looks like this in my inbox.



The links, needless to say, do not go to CNN. Instead, they lead to

http://playhard.by/bostoncnn.html

*** WARNING *** WARNING *** WARNING ***

This site IS LIVE as of the time of writing this. It WILL attempt to infect your computer with malware. DO NOT visit this site if you don't know what you're doing!


playhard.by is a hacked site hosted in Belarus. The URL in the email is a link to a file planted on the site that redirects visitors, using both JavaScript and a REFRESH meta tag, to

http://sub.piecedinnerware.com/complaints/messages_shows_mentions.php

This site is hosted by an outfit called Colo Crossing, a server colocation facility headquartered in the US. The domain was registered through (wait for it...) GoDaddy:

tacit$ whois PIECEDINNERWARE.COM

Domain Name: PIECEDINNERWARE.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS17.DOMAINCONTROL.COM
Name Server: NS18.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 19-nov-2012
Creation Date: 19-nov-2012
Expiration Date: 19-nov-2013

>>> Last update of whois database: Thu, 18 Apr 2013 21:42:55 UTC <<<

Registrant:
Jigar Kapadia
B-32, Mani Ratna Raw House, Opp Sai Nagar
New Gujarat Gas Road, Adajan
Surat, Gujarat 395009
India

Administrative Contact:
Kapadia, Jigar contact@NewWaysys.com
B-32, Mani Ratna Raw House, Opp Sai Nagar
New Gujarat Gas Road, Adajan
Surat, Gujarat 395009
India
+91.9076026366

Technical Contact:
Kapadia, Jigar contact@NewWaysys.com
B-32, Mani Ratna Raw House, Opp Sai Nagar
New Gujarat Gas Road, Adajan
Surat, Gujarat 395009
India
+91.9076026366


The domain was registered last November, and put into service after the Boston Marathon bombing. (Interestingly, the HTML file that redirects to this site contains the following block of text:

Be sure you have a transfer reference ID. You will be asked to enter it after we check the link. Important: Please be advised that calls to and from your wire service team may be monitored or recorded.

Redirecting to Complain details... Please wait...


This suggests that an ordinary, garden-variety malware attempt, possibly something like a fake PayPal or bank transaction notification, was hastily modified to exploit the Boston attacks.

As per usual, if you receive any emails like this, do not be tempted to click on the links in them.

I expect to start seeing similar emails targeting the explosion at the fertilizer plant in Texas within the next 24 hours.


Comments

( 1 comment — Leave a comment )
jayene
Apr. 18th, 2013 10:37 pm (UTC)
Snopes has also been reporting on this.... http://nakedsecurity.sophos.com/2013/04/17/malware-boston-marathon-bombing/ I've had a few of these kind of emails float up in my email. They went unopened to the trash.
( 1 comment — Leave a comment )