Blog

As the internet begins to flood with the word on the untimely death of comedian/actor Robin Williams yesterday, the cybercriminals immediately jumped on board in order to catch unsuspecting information seekers off guard. A campaign that began coming in late last night appears to be hastily thrown together, but very similar to other fake media themed attacks riding the crest of breaking news stories in the past. An oddly pale CNN logo appears at the top of the email in an attempt to pass it off as actual news. Below all of this a picture of Williams, a headline in bold text that reads "Robin Williams Dies, See His Last Words On Video", as well as a brief news synopsis on the event.

Fake CNN News Alert

There are two links included in these emails, one to "...see the video" and one that appears to be an "unsubscribe" link. Both of these links lead to the same place, which is to a legitimate IT security domain that apparently hosted a subdomain with the payload for a brief period of time, or perhaps the attackers simply anticipated being able to host their malware on this newly exploited site. By the time we got to the sample, this subdomain had been taken down. Interestingly enough though, the subdomain appears to be in arabic when it's moused over and obviously hex percent encoded when clicked for the browser to properly interpret thee destination.

Luckily we seem to have all of these attacks in captivity and all appears to have slowed down, but always remember to be vigilant when receiving unsolicited news such as these. It is a very common tactic that seems to work very well for those who try it.

Arabic Subdomain