Terrorist threat used for malware distribution

Today’s email is one that supposedly informs the recipient of the location of impending terrorist attacks in Sydney. In reality, the email is using the fear of terrorist attacks in Sydney to distribute malware via email attachments.

The Australian government site Stay Smart Online has the full text of the email. This email directly plays on two recent public terrorist attacks, one in Sydney and one in Paris, which have been attributed by some commentators to ISIS. The email attachment may be in word format or RAR format.

It is a common trick (sadly) for criminals to use public tragedies or disasters to further their own malevolent schemes. Last year we saw an email campaign that used the Ebola epidemic as phishing bait. Another campaign used MH17 to try to entice users to click on links.

In the case of the Ebola phishing campaign, a Remote Access Tool was delivered via an email, but disguised as a RAR attachment. The subject line would usually read “Ebola Safety Tips-By WHO”. The malware associated with the email varied; in one case DarkComet was used. DarkComet is a keystroke logging malware that is capable of also executing remote commands.

MH17 was another tragedy used by scammers in an attempt to steal user information. In this case, fake Facebook pages were set up. These pages directed users to blogs that contained malicious ads. In some cases, the ads were used to deliver drive by downloads.

We have not (yet) seen this particular email, but we mention it here and provide a link for the reader to check further. Should we start receiving this email we will publish a screenshot to alert users.

In the meantime, if you do receive this email, delete it.

Scott Reeves
MailShark
Free anti-spam service
Free email filter service