Always quick to capitalize on major headlines, spammers have begun sending out messages related to the deaths of Michael Jackson and Farrah Fawcett, security researchers said.
Jackson's death is being exploited by cybercriminals hoping to infect users with a troan or to trick curious spam recipients into unwittingly revealing their personal information. Shortly after Jackson's death was confirmed, the SANS Internet Storm Center predicted that spam related to the deaths of Michael Jackson and Farrah Fawcett would begin to crop up.
“With the reported death of Farrah Fawcett and Michael Jackson today, it is likely only a matter of hours before we will start seeing SPAM relating to the subject,” a SANS Internet Storm Center blog post warned. “So it may be a good idea to remind your users that mail from unknown sources should not be opened and links should not be clicked.”
And they were right -- approximately eight hours after Michael Jackson's death, spammers began sending out malicious messages, according to security firm Sophos. The first wave of spam detected by Sophos came with the subject, “Confidential===Michael Jackson.” In the message, spammers claim to know “vital information” about Jackson's death and want to share this information with the recipient. These emails do not contain any type of malicious attachment or link, Sophos said in a blog post Friday.
“It's hard to know exactly what the purpose of the campaign is, but at the very least replying to the email to ask for more information will tell the hacker that you are a ‘live' target for future spam campaigns and attacks,” Graham Cluley, Sophos' senior technology consultant told SCMagazineUS.com in an email Friday. “But it's also possible that hackers could try and bring you into their confidence and might share with you links or attachments that are designed to infect your computer.”
Sophos said that similar spam campaigns related to Farrah Fawcett's death have been propagating as well.
A different spam campaign, targeting Portuguese speaking users is offering recipients a link to supposed “images of the body” and unpublished videos of Jackson which, if downloaded, will infect users with a trojan, Carl Leonard, security research monitor at security firm Websense told SCMagazineUS.com on Friday.
“The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a trojan downloader hosted on a compromised website,” Websense wrote in a blog post Friday.
Following the link contained in the email will direct users to a legitimate website for a radio broadcasting station in Australia, which has been compromised and is now hosting the malicious file, called “Michael.Jackson.videos.scr.” Attempting to download this file will cause a legitimate news website with a story about Jackson's death to open, providing a distraction for the user, Leonard said. But, unbeknownst to the user, three information-stealing components will be downloaded and installed by the malware.
The downloaded file has a low anti-virus detection rate -- detected by just five of the 41 most popular AV engines, Websense said.
Once infected, this trojan tries to steal a user's online banking credentials, Leonard said. When a user visits certain online banking websites while infected with this trojan, their username and password is sent off to other compromised servers, where malware authors can harvest the data. Also, keyloggers -- which record a user's keystrokes -- may be installed at a later date.
Researchers said attacks taking advantage of Jackson's death will continue -- and evolve.
“We can expect that the malware authors will spread their wings and send out different emails in other languages,” Leonard said.
He added that attackers will probably launch search-engine optimization attacks, in which malicious sites will appear at the top of search engine results.