prince_georgeHello

British royal baby's birth drafted as phishing bait

It may be old news now, but hackers are still using news of the U.K. royal baby's birth to entice people into clicking on malicious links, according to researchers at Trend Micro.

When the official announcement was made on July 22, the researchers spotted plenty of spammed messages related to the birth of Price George. In a statement, they described the speed with which this spam hit the Internet as "remarkable."

"These messages appear to be from ScribbleLive, a service that provides real-time engagement platforms.

phishing
The false page (click to enlarge)

The offer, of course, is false, and clicking on links in the email will only trigger multiple redirections that are typical among Blackhole exploit kit (BHEK) spam runs," the researchers said.

BHEK is a page that cybercriminals use to determine what software versions are used by a victim so that the page can deliver the "correct" exploit. Generally, people using outdated software are more at risk of being caught by exploits.

In this case, the script that triggers the redirections is detected as JS_OBFUSC.BEB, the researchers said. This particular exploit targets two vulnerabilities in Java: CVE-2013-1493 and CVE-2013-2423. Both of these vulnerabilities have been patched by Oracle, though many people still run on older versions of Java.

Trend Micro described this technique of taking advantage of current affairs as a social engineering lure, adding that they often come in the form of highly publicized events. The researchers gave the Boston Marathon incident and the election of Pope Francis as prime examples. What's more, they said, hackers take advantage of more than one big news story at a time.

"This particular BHEK run is not limited to the royal baby alone. Other spammed messages took advantage of the controversy surrounding the upcoming sci-fi film Ender's Game," they said.

"While these messages are made to look like an article from CNN, clicking on links will trigger the same redirections as that of the royal baby spam."

Subscribe to the Security Watch Newsletter

Comments