Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: SPAM and Malware taking advantage of H1N1 concerns - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SPAM and Malware taking advantage of H1N1 concerns

Gary writes in, telling us of a recent spike in SPAM with a title similar to "“State Wide H1N1 Vaccination Program", which pretends to originate from the CDC (Center for Disease Control).  The email goes on to instruct you to "follow this link to create a vaccination profile on the CDC website".

Needless to say, this email is a fake, it redirects you to a site in the Ukraine, and plants malware on your PC.  The URL is "http://online.cdc.gov, followed of course by the real domain name,  six or seven digits of seemingly random characters.

You do not need to register with the CDC to receive a vaccine for the H1N1 strain of influenza

There's also a rise in fake H1N1 sites using other vulnerabilties to compromise your PC, including the recent Adobe issues.

It never ceases to amaze me the depths that these "malware folks" will stoop to. 

If you are following a link in your email - always check to see that it's taking you where you think you are going before you click it.  Copy and paste it through your clipboard, or rekey the link entirely in your browser.  This kind of deception is just so prevalent that clicking links in a received note is simply not safe!

Rob VandenBrink

458 Posts
ISC Handler
iTinker writes with more information on the website behind this spam.

The site uses a hidden iframe on the first page, which opens another site with 2 other iframes, one with a boobytrapped PDF, and one with a javascript infector, both using the adobe exploits we referenced.

This "russian doll" iframe approach is currently seeing a lot of popularity, as it has a lot of success against many of today's filters and detectors.
Anonymous

Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!