Sponsored by..

Wednesday 17 April 2013

"Boston Marathon" spam / askmeaboutcctv.com

This pretty shameful Boston marathon themed spam leads to malware on askmeaboutcctv.com:

Sample 1:

From: Graham Jarvis [mailto:alejandro.alfonzo-larrain@tctwest.net]
Sent: 17 April 2013 09:49
Subject: Video of Explosion at the Boston Marathon 2013

hxxp:||61.63.123.44/news.html
Sample 2:

From: Sally Rasmussen [mailto:artek33@risd.edu]
Sent: 17 April 2013 09:49
To: UK HPEA 2
Subject: Aftermath to explosion at Boston Marathon

hxxp:||190.245.177.248/news.html
(Note that the payload links have been lightly obfuscated, don't click them).

If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv.com/wmiq.html  (report here) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.



Some more sample subjects and links:
Subject: Video of Explosion at the Boston Marathon 2013
Subject: Aftermath to explosion at Boston Marathon
Subject: Explosion at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: 2 Explosions at Boston Marathon

[donotclick]46.233.4.113/boston.html
[donotclick]37.229.92.116/boston.html
[donotclick]188.2.164.112/news.html
[donotclick]109.87.205.222/news.html

I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way.

1 comment:

Martin said...
This comment has been removed by the author.