Alerts E-Threats Tips and Tricks

Within Hours of Boston Bombing, Related Keywords Spread to 20% of Spam, Bitdefender Study Shows

Hours after the Boston Marathon tragic incident, the words “marathon”, “Boston” or “explosion” had made their way into the subject headers of one in five spam messages, according to a Bitdefender study. The data reveal a disturbing cycle of spammers and scammers seeking to take profits from people concerned about terrorism.

Bitdefender anti-spam labs first spotted the trend in the hours after the bombing and, an analysis of the spam pool collected within hours shows that 20 per cent of the messages had one of the three keywords. The increasingly rapid adaptation of spam to ongoing current events comes as the spam business has grown more dangerous in the past several months, spicing up old messages with malicious attachments and links with vicious intent.

The reaction to the Boston bombings is an example of that – the dust has barely settled on the streets of Boston, and hackers, spammers and others are launching their own assault on those interested in finding out details about the April 15 Boston Marathon bombings.

With promises of Boston Marathon breaking news, videos of the bombings, aftermath to the explosion or runner captures, Internet criminals are pushing malicious e-mails with links hinting at the recent tragedy with words such as “news.html” or “boston.html” included in their names.

The IP addresses of these malicious websites correspond to domains registered across the globe, including USA, Bulgaria, Japan, Ukraine, Netherlands, Russia, China, Serbia and Montenegro, Taiwan, and Argentina.

The URLs lead innocent users to compromised web locations covering the dramatic event in Boston with some YouTube clips. The videos, though, are a cover up for a nasty malware attack.

In one of the samples analyzed by our labs, of the six iFrames loaded by the URL, only five of them were YouTube clips while the sixth one was a component of the infamous Red Kit exploit pack.

The malware downloaded by RedKit, identified by Bitdefender as Trojan.GenericKDZ.14575, is a password stealer that grabs users’ account passwords directly from their browsers while keeping an eye on the network traffic of the infected machine by dropping three legitimate WinPcap components. Some variants were reported to also steal bitcoin wallets, send e-mails and have download/upload capabilities.

Tips and tricks

If you receive an e-mail apparently about the bombings, please avoid opening it. And don’t open any attachments and never click the links in those messages.

When you look for news on the sad events, stick to your favorite news channels and choose only the official online portals of trustworthy news networks. This way you can avoid any “disposable” sites rigged with malware. These are sites that crooks have just set up but use search engine poisoning to boost their rankings to better infect people.

In case you want to help those in need and contribute some money, pay extra attention to whom you hand your credit card data. Double check any charity organizations pretending to collect money for the bombing victims, because some might be fake. Check with your local Better Business Bureau for guidance.

This article is based on the spam samples provided courtesy of Ionut-Daniel RAILEANU, Bitdefender Anti-spam Analyst and the technical details offered by Doina COSOVAN, Bitdefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.


Click here to post a comment