“Royal Baby: Live updates” malware scam infects users

Kaspersky Lab has discovered a new malware plot seeking to capitalise on the royal baby fervour and infect unsuspecting users with malware.

The scam will come as little surprise to security researchers who frequently uncover opportunistic cyber-attacks that masquerade as news, videos and photos relating to a hot media topic. With web users all over the world eagerly devouring any update from St Mary’s Hospital, Paddington, it was only a matter of time until hackers began setting traps to exploit the online community.

Detected by Kaspersky’s spam traps is an email titled, “The Royal Baby: Live updates” flagging up alleged coverage from news network CNN which users are invited to follow. Included in the email is a link embedded into the text, "Watch the hospital-cam", but Kaspersky suspects this malicious link has been swiftly dealt with, as it now fails to lead anywhere.

However, a search for “Watch the hospital-cam” does bring up a web page with similar content to the spam email, and this time the malicious hospital camera link is still alive and ready to attack users.

“It contains three links with *.js naming on yet another set of hosts,” Kaspersky explains on its Secure List blog. “Checking these, we finally see what it is all about, namely a ‘Blackhole Exploit Kit’ serving URL - a drive-by approach to infect unprotected users ‘on the fly’.

“Kaspersky Lab products detect this threat as ‘Trojan-Downloader.JS.Expack.aiy’,” the blog concludes.

The royal baby media explosion provides a welcome window of opportunity for cyber-criminals, who performed similar tricks during the intense coverage of the Boston bombings in April this year. Exploits were hidden in fake news pages claiming to show videos of the bombings, while one campaign used the same scam reported by Kaspersky today by spamming email inboxes with fake CNN stories on the incident.

Typical headlines included “Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com”, leading victims to destinations capable of infecting their machines.

“It no longer comes as a surprise when we see malware campaigns destined for inboxes that pretend to be news stories or videos about recent tragedies that become world topics,” said Fred Touchette, analyst at security firm AppRiver.

“Even brands, such as CNN, are being tarnished by these exploits. Adopting a layered approach to security, adding spam and virus filters to email, using web protection services or devices, employing endpoint anti-virus software and encrypting sensitive messages all help deflect this type of attack. But, at the end of the day, vigilance is key,” he advised.