Security Watch | Matt Hines » Spammers tapping into Va. Tech shooting

April 19, 2007 | Comments: (0)

Spammers tapping into Va. Tech shooting

TAGS: Security

Security researchers are tracking a rapid move by spammers and malware distributors to use this week's mass murder at Virginia Tech as a new avenue for luring people to open unsolicited e-mail messages.

Spam experts have already seen an initial wave of messages bearing subject lines and content that advertises information about the shootings at the school, which bears the official name of Virginia Polytechnic Institute and State University.

Researchers have also observed that a large number of Internet domain names related to the university and the shootings have been scooped up since the tragedy first unfolded.

On Monday, April 16, Virginia Tech student Cho Seung-Hui is alleged to have carried out a killing spree that resulted in the death of 32 students and instructors at the school before taking his own life as police closed in on the building where the bulk of the shootings occurred.

On April 19, researchers with the security education outfit SANS Institute, based in Bethesda, Md., reported that registration of new domain names that either directly reference Virginia Tech or the shootings has spiked, with over 450 of the URLs and e-mail addresses purchased since the tragic event was reported.

In a blog post on the SANS Internet Storm Center Web site, Chief Research Officer Johannes Ullrich wrote the uptake of the Virginia Tech domains occurred at an even faster pace than similar activity around other recent news events targeted by spammers, including Hurricane Katrina in 2005.

"Some of them are used for benevolent purposes, however, a good share of them are parked for auction and even used for fraudulent donations," said Ullrich.

To help thwart the spammers' efforts, SANS has set up a list of the suspicious addresses related to the event and is requesting help from other researchers interested in investigating the domains.

Researchers at anti-virus specialists Sophos, based in Burlington, Mass., have already discovered a malware-laden spam campaign that attempts to use the Virginia Tech shootings to trick people into opening a file and infecting their computers.

In spam messages bearing subject lines that advetise camera phone footage of the shootings, Sophos said it found that a link that directs users' machines to site that installs a Trojan virus designed to steal users' online banking passwords and account information.

The malware file itself has also been tailored to capitalize on interest in the shootings, bearing the label TERROR_EM_VIRGINIA.scr.

"Cyber criminals prey on the interest of concerned citizens hoping for the latest information on breaking news and, if history repeats itself, we'll see this campaign continue until interest [in the tragedy] fades," said Ron O'Brien, senior security analyst at Sophos. "We've seen similar behavior with other tragedies like Katrina and the death of Pope John Paul II."

Security experts said that efforts to capitalize on major news events -- in particular incidents of great concern such as natural disasters -- have become a common operating model for spammers and malware distributors.

However, lawmakers are also beginning to look at the purchase of suspicious domain names to take their cues about which sites and e-mail campaigns to watch out for, said David Jevans, chairman of the nonprofit Anti-Phishing Working Group (APWG) industry association.

"Whenever there's some bad news we're seeing more people proactively registering domain names, some of which are used for phishing or spam and some of which are fronts for fake charities," said Jevans. "Previously most of this activity has been focused on natural disasters but now we see the Virginia Tech shootings, which could point to the use of a broader spectrum of these types of themes."

Jevans said that the Department of Justice is establishing a group that will attempt to track such activity and investigate the individuals who register domains that become sources of spam or malware and phishing attacks.

"Overall this is further evidence that more people are engaged in these types of activities and with the competition that brings you have more people thinking outside the box about creating more innovative ways to trick users," Jevans said.

Officials with firewall and filtering device maker Barracuda Networks, based in Mountain View, Calif., said that social engineering among spammers has become significantly more sophisticated over the last year as businesses and consumers employ new technologies that have helped limit attacks.

"It's all about social engineering for the smarter spammers these days, part of their work is figuring out the right technologies to use to defeat filters, but as much effort is going into figuring out what users might open," said Stephen Pao, vice president of product management at Barracuda. "It's all about getting the eyeballs, and not just getting the message to the user, but also convincing them to open it."

For those people interested in making donations in the wake of the Virginia Tech shootings, the school has set up its own charity, labeled as the Hokie Spirit Memorial Fund, information on which can be found through the university's own Web site.

Posted by Matt Hines on April 19, 2007 12:09 PM

RATE THIS ARTICLE: