Researchers from WebSense are reporting on three currently active malware campaigns, attempting to trick end users into opening malicious HTML files, or automatically exploiting vulnerable PCs relying on the recent Adobe zero day flaw (CVE-2010-1297).
The first campaign is using a FIFA World Cup scandal theme, whereas the second is relying on the well known (see Fake Conficker Infection Alerts) “Virus Infection” alert theme. The Adobe zero day flaw exploitation is taking place through a mass SQL injection attack currently affecting thousands of pages.
More details:
The ongoing mass SQL injection attack is closely related to another mass injection campaign that took place earlier this week:
The attack is closely related to the hxxp://ww.robint.us/[REMOVED].js attack earlier this week that our friends at Sucuri blogged about, where the common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the new mass injection attack still have the robint.us code present.
The company published a video demonstrating what happens on an affected computer. A patch for the Flash flaw has already been released, with Acrobat’s patch set to be released by June, 29th. Users are always free to switch to an alternative PDF reader.
More details on the FIFA/Virus Alerts themed campaigns:
At the dawn of the eagerly anticipated World Cup tournament, we would expect to be inundated with suitably themed spam. The sample we have encountered today is a little different from the usual, as the technique used may not raise suspicion. We have seen over 80,000 email messages in this new campaign, which uses an HTML attachment with an embedded JavaScript. Upon execution, this script leads to a malicious Web site, from which we are protecting our customers with our real-time analytics in our ACE engine.
Upon clicking on the malicious HTML file, an obfuscated JavaScript script loads a tiny iFrame refreshing the actual malicious link. Moreover, the cybercriminals behind the campaign are also optimizing the click through traffic by loading a second URL, this time serving a well known pharmaceutical scam theme - the Canadian Pharmacy. Both campaigns appear to be managed by the same individual/gang.
Related posts:
- Malware Watch: iTunes gift certificates, Skype worm, fake CVs and greeting cards
- Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates
- Malware Watch: Twitter password reset emails, IRS-themed crimeware, malicious PDFs, and fake YouTube pages
With FIFA-themed scams and drive-by downloads campaigns prone to escalate, consider going through the related “Protection tips for the upcoming FIFA World Cup themed cybercrime campaigns“, and “Ultimate guide to scareware protection” posts.
