Jul 30 2013

Blackhole Malware Lurks Behind Royal Baby Announcement

Cybercriminals act fast to take advantage of global interest in latest addition to the British royal family.

While there was a great deal of intrusive speculation leading up to the birth of the Duke and Duchess of Cambridge’s son, the malicious action didn’t start until after Prince George’s arrival.

Kaspersky Lab researcher Michael Molsner reported on July 24 (two days after the prince’s birth) that the company’s spam traps had flagged a suspicious email. The suspect email was titled “The Royal Baby: Live Updates.” Within this email was a link, “Watch the hospital-cam.” Interestingly, the link within the email itself went nowhere.

Molsner speculates that this link was leading to a compromised website that had been recently cleaned. A quick Internet search using the link’s title turned up just one hit.

Following this path to the same content in the email yielded one key difference: the “Watch the hospital-cam” link was still live. Anyone clicking on it was quickly served tainted JavaScript files, driving the user into the clutches of a waiting Blackhole exploit kit server. In security parlance, this is a classic drive-by attack for infecting web browsers.

The Blackhole exploit kit is one of the most prevalent security threats, accounting for nearly 30 percent of all threats detected by security vendor Sophos between October 2011 and March 2012. This piece of crimeware, believed to have been developed by Russian cybercriminals, is incredibly efficient at its job: exploiting vulnerabilities in a computer’s browser to trick it into downloading and running malware covertly, without the user’s knowledge.

Once the computer is infected, the perpetrator then delivers its payload, which could be anything from ransomware to a rootkit — basically opening up that computer to further exploitation. Typically, the perpetrator then “sells” this compromised PC to others for whatever malicious activity they are planning.

Minimum defensive moves to protect against Blackhole include running antivirus and host-based intrusion-prevention systems on the machine and keeping all browsers, browser plugins and operating systems up to date.