Malware attacks after the Boston bombing

Yesterday, in the wake of the bombings in Boston, I received an email that looks like this in my inbox.

The links, needless to say, do not go to CNN. Instead, they lead to

http://playhard.by/bostoncnn.html

*** WARNING *** WARNING *** WARNING ***

This site IS LIVE as of the time of writing this. It WILL attempt to infect your computer with malware. DO NOT visit this site if you don’t know what you’re doing!

playhard.by is a hacked site hosted in Belarus. The URL in the email is a link to a file planted on the site that redirects visitors, using both JavaScript and a REFRESH meta tag, to

http://sub.piecedinnerware.com/complaints/messages_shows_mentions.php

This site is hosted by an outfit called Colo Crossing, a server colocation facility headquartered in the US. The domain was registered through (wait for it…) GoDaddy:

tacit$ whois PIECEDINNERWARE.COM

Domain Name: PIECEDINNERWARE.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS17.DOMAINCONTROL.COM
Name Server: NS18.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 19-nov-2012
Creation Date: 19-nov-2012
Expiration Date: 19-nov-2013

>>> Last update of whois database: Thu, 18 Apr 2013 21:42:55 UTC <<< Registrant: Jigar Kapadia B-32, Mani Ratna Raw House, Opp Sai Nagar New Gujarat Gas Road, Adajan Surat, Gujarat 395009 India Administrative Contact: Kapadia, Jigar contact@NewWaysys.com
B-32, Mani Ratna Raw House, Opp Sai Nagar
New Gujarat Gas Road, Adajan
Surat, Gujarat 395009
India
+91.9076026366

Technical Contact:
Kapadia, Jigar contact@NewWaysys.com
B-32, Mani Ratna Raw House, Opp Sai Nagar
New Gujarat Gas Road, Adajan
Surat, Gujarat 395009
India
+91.9076026366

The domain was registered last November, and put into service after the Boston Marathon bombing. (Interestingly, the HTML file that redirects to this site contains the following block of text:

Be sure you have a transfer reference ID. You will be asked to enter it after we check the link. Important: Please be advised that calls to and from your wire service team may be monitored or recorded.

Redirecting to Complain details… Please wait…

This suggests that an ordinary, garden-variety malware attempt, possibly something like a fake PayPal or bank transaction notification, was hastily modified to exploit the Boston attacks.

As per usual, if you receive any emails like this, do not be tempted to click on the links in them.

I expect to start seeing similar emails targeting the explosion at the fertilizer plant in Texas within the next 24 hours.

2 thoughts on “Malware attacks after the Boston bombing

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.