"Fertilizer Plant Explosion Near Waco, Texas" spam

As I suspected, this didn't take long. This spam is a retread of yesterday's Boston Marathon spam.

From: Maria Numbers [mailto:tjm7@deco-club.ru]
Sent: 18 April 2013 11:51
To: UK HPEA 3
Subject: CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas

hxxp:||83.170.192.154/news.html

At the moment the payload site is [donotclick]bigmovies777.sweans.org/aoiq.html (report here but site appears b0rked) but it seems to rotate every hour of so to a new domain. Almost all the domains I have seen are hacked legitimate sites hosted by WebsiteWelcome.

If you click through you get five genuine embedded YouTube videos plus a malware IFRAME that looks a bit like this:

The Boston Marathon spam lead to a RedKit exploit kit, this probably does too. Given the ever-changing nature of the malware landing page, this one is rather difficult to stop. Advising your user population of the risk may be prudent.

Sample subjects:
CAUGHT ON CAMERA: Fertilizer Plant Explosion
CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
Raw: Texas Explosion Injures Dozens
Texas Explosion Injures Dozens