News & Commentary

03:17 PM
George Tubin, Trusteer
George Tubin, Trusteer

How Breaking News Is Used To Plant Malware

Spear-phishing -- where emails lure readers or customers of trusted institutions to compromised websites -- has become one of the main tools fraudsters use to compromise endpoints inside financial institutions.

While the world's attention was recently focused on the Syrian crisis and the alleged use of chemical weapons, cyber-criminals were taking advantage of the situation. News seekers, eager to learn about the latest developments, the possibility of a U.S. strike and the diplomatic efforts to end the civil war, became easy targets. Using fake news alerts, cyber-criminals lured unsuspecting readers to malicious websites where their devices were infected with advanced, information-stealing malware.

In one such spear-phishing campaign, emails contained links that directed the reader to a legitimate website that had been compromised -- these sites are often called 'watering holes.' The compromised site contained malicious code that exploited a known Java vulnerability to silently download malware on the victim's machine using the now-familiar infection process known as a 'drive by download.'

Using breaking news to carry out phishing attacks is nothing new, but it is effective. That's because an email containing this type of information is more readily opened than one that claims to offer a unique investment opportunity or new weight loss product. In addition to breaking news, attackers will also exploit the name of trusted institutions to deliver malware.

[How can banks balance protection of customer information with the need to optimize convenience, simplicity and ease of use? 4 Ways Banks Can Improve Their Fraud-Fighting Efforts]

For example, in July the FBI's Internet Crime Complaint Center and the Department of Homeland Security received complaints regarding a ransomware campaign using the name of DHS to extort money from unsuspecting victims. The scam directed victims to a download website where the Reveton malware was installed on their computers and attempted to coerce them into paying a fine to "unlock" the machine.

The Trojans installed in these cyber-attacks allow the criminals to capture log-in credentials and other sensitive information from the user's machine. This information is typically used to conduct financial fraud or an advanced targeted attack.

In August a hacker group called the Syrian Electronic Army (SEA) used a targeted phishing attack to steal credentials from a reseller for an Australian domain registrar. The stolen information was used to change the DNS (Domain Name System) records for several domain names, including,,, and This resulted in traffic to those websites being temporarily redirected to a server under the attackers' control.

Attack Methods

Spear-phishing attacks use two techniques to secretly install malware on end-user devices. The first embeds a link to a malicious website in the email message that either takes advantage of application vulnerabilities to secretly install malware in the background or entices the user to download a file that contains malware. The second technique embeds a file in the email message, usually a "weaponized document" that secretly installs malware when opened. Additionally, machines can be compromised when users visit legitimate websites that have been infected with malware installers or by installing legitimate-looking files that actually contain malware (Trojan horses).

Preventing these attacks is getting harder. Cyber-criminals are continuously sharpening their spear-phishing messages so they are more likely to be opened by users. Today, spear-phishing is one of the main tools used to compromise endpoints inside financial institutions. Once a machine is infected, an attacker can access information and has full control over the device. It can be used to commit financial fraud, or to gain a foothold within a corporate network. In fact, on June 25, 2013, the FBI issued a warning about the increase in the use of spear-phishing attacks to target multiple industry sectors.

Given the advancing sophistication and "believability" of phishing and especially spear-phishing attacks, end-user education no longer provides sufficient protection. Making sure that endpoint devices are properly patched to prevent the exploitation of vulnerabilities and drive-by downloads is essential. For stronger, more proactive protection, financial institutions should implement exploit prevention technologies that are now becoming available.

George Tubin is senior security strategist for cyber-crime prevention vendor Trusteer.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.