Security experts at TrendMicro have detected a spam campaign via Twitter which exploits the incident occurred to Malaysia Airlines Flight MH17.

Unfortunately tragedies like the one occurred to the Malaysia Airlines Flight MH17 or the recent escalation in Gaza are an excellent occasions for cyber criminals that try to exploit the public attention to carry out illegal activities. Cyber criminals could arrange spam campaign and phishing attacks to collect victims’ personal information and serve malware. Security experts have observed cyber attacks which are explicitly using news on the Malaysia Airlines Flight MH17 crash to deceive Internet users.  Media agencies sustain that the Boeing 777 Flight MH17 of the Malaysia Airlines,  carrying 298 individuals (including passengers and crew members), was struck by a missile launched by a mobile ground station. Russian and Ukrainian governments are exchanging mutual accusations on the terroristic attack, public opinion is blaming pro-Russian separatist rebels sustaining that the Kremlin is helping them to destroy the clues. Social media are flooded by news and images on the crash of Malaysia Airlines Flight MH17, cyber criminals are using social engineering techniques to spread malware tricking victims into visit compromised web site. Experts at security firm Trend Micro have detected tweets written in Indonesian language which spread news related tothe crash of the Malaysias Airlines Flight MH17, the tweet includes the hashtag #MH17 to lure victims that search for information on the incident. The cyber criminals behind this malicious campaign started their operations just after the crash on July 17th, one of the tweet states:

Malaysia Airlines has lost contact of MH17 from Amsterdam. The last known position was over Ukrainian airspace.

The message was retwetted by hundreds of users, that in an unconscious were advantaging the scammers spreading the malicious links.

m1

The experts at TrenMicro discovered that the URLs used by criminals resolve to the following IPs:

  • 72[dot]8[dot]190[dot]126
  • 72[dot]8[dot]190[dot]39

The analysis revealed that the IPs belong to a shared hosting in the US, many other domains are mapped on these addresses, some of them legitimate. The experts discovered that the spam campaign related Malaysia Airlines Flight MH17 has as a primary purpose the increase of hits/page views on sites or ads managed by cyber criminals. The malicious domains were mainly used to spread a ZeuS variant SALITY malware.

ZeuS/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.” reports the blog post from TrendMicro.

Cybercriminals always exploit news on tragic events, in the past security experts have seen several scams and threats that leveraged news like the Boston marathon and 2011 tsunami/earthquake in Japan, be aware because they will continue to do this … and the crash  of the Malaysia Airlines Flight MH17 is still an excellent news to ride.

Pierluigi Paganini

(Editor-In-Chief, CDM)

rsa-logo