Malware Sites Exploit Bhutto Assassination
"We've come to understand that almost any high impact media event is going to be used as a social engineering tool for malware," said Dave Marcus, security research and communications manager at McAfee. "It's such a horrible event, but at the end of the day, it's a very good social engineering tactic."
The Websites take advantage of the tragedy by enticing users to download a fake codec, purporting to be a video of Bhutto's assassination. When users visit the sites, they download a piece of information-stealing malicious code, instead of a video, to their machines.
"They entice users through posing as news for the events," said Dan Hubbard, vice president of security research for San Diego-based Websense, a security company specializing in Web and content filtering, via e-mail. "(The sites) are malicious however, and behind the scenes, attempt to infect users who have unpatched PCs and install Trojan Horses for financial gain."
The compromised sites contain malicious scripts injected into the Web pages that redirect visitors to the 3322 domain, which security researchers have detected in other high profile attacks.
"It's not cutting edge malware," Marcus added. "It's not even a new piece of malware. It's just a popular piece of malware."
So far, at least 10 blogger Web sites have been found to host the fake video, and security experts say that there are likely numerous others that contain malware under the Google search results for "Benazir Bhutto."
Security researchers say that in the past, attackers have typically taken advantage of subjects that receive high amounts of traffic on search engines, such as international media events. Attackers will often disseminate malware by duping a search engine's algorithm and manipulating keyword searches to get their malicious sites at, or close to, the top of the search engine's rankings.
"This is happening more and more often, not just with Google, with all search engines," said Hubbard.
While security professionals say that the company has been alerted to the problem, Google did not immediately respond to queries from CRN.
"If it's a high impact media event, chances are it's going to be pushing out malware," said Marcus. "It's not Google's fault. It's just that the attackers are using the free service that Google provides."
To protect PCs from being affected by this kind of attack, experts recommend that users keep all of their security software updated and only visit valid sources when searching for news.
"Don't just rely on a Google Web site which aggregates news," said Marcus.