March 15, 2011

Japanese disaster - ammo for cyber arsenal


It’s no secret that criminals try to use huge disasters to their benefit to make some cash,  this time is no exception!  We have been able to track several black hat methods to convince people to "help” Japan’s disaster-affected population.  The set of techniques are not new and usually involve: 

  • SEO poisoning
  • Rogue AV (anti-virus)
  • Phishing emails asking for donation
  • Malicious files attached to emails claiming to be legitimate documents
  • Facebook apps with CPA (cost per action) lead surveys

Websense customers are protected from such attacks with our Advanced Classification Engine analytics, our suite of technologies within TRITON.


Black Hat SEO 

SEO poisoning was used within minutes after the first wave hit the Japanese coast.  Using common search terms like, "japan earthquake news 2011" to search for the latest information in search engines is bringing all sorts of results, including malicious sites hosting fake AV.

Looks like a benign search result:


Following a link, the victim lands at a website with a slightly modified version of a redirection to fake AV,  in previous campaigns such websites were directly hosting fake AV,  nowadays they redirect to fake AV. 


Rogue AV

When redirected via a "CLICK HERE" button,  a warning appears stating that your computer might already be infected: 


Whether the "Cancel" or "OK" button is clicked, rogue Windows OS-like anti-virus will popup,  though it is running on a Linux OS


Phishing Email

Below is a very simple, nicely written and almost legitimate email which asks the recipient for a donation on behalf of Humanitarian Care Japan.  Notice this little detail:  "reply to:"  is a free mail address and completely different from the sender's address. 


Malicious Email

Another type of e-mails used are malicious e-mails and e-mails with links leading to malicious content. One like this is used in a targeted attack,  providing information about the nuclear crisis in Japan, and also has a document attached called "Understanding Japan's Nuclear Crisis.doc" which surprisingly enough has very low coverage 5/43 in VT. Also, as you can see from the message source, it was also sent from a free mail account.


Facebook apps with CPA lead survey 

And the last, but not least, vector of attacks is through social networks.  For example, Websense Threatseeker Network has identified a set of Websites that entice users to watch a video about the latest disaster events in Japan. As you can see per the picture below the involved sites are registered with .info TLD. D1 - stands for "Registered for 1 day". Instead of getting a movie, users are redirected to a Facebook application installation page. The application asks for permission to post on the user's wall. 


The scam application has different names such as "RemoteViews",  "Collect",  "Consumer" and others.  Once clicked it asks the victim to fill in a survey to unlock pictures of people who viewed the victim's profile: 


It also leaves a post on the victim's wall with a link to this application: 


We have already discussed CPA (cost per action) leads in our previous blog about Viral Facebook Applications as well as most techniques listed in this blog.  


In conclusion we can see how, again and again, such disastrous events give cybercriminals a lot of  "ammo" for their "arsenal" of malicious activities.


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.