Original URL: https://www.theregister.com/2013/04/17/malware_squatters_boston_marathon_bombing/

Malware and domain-squatters target Boston Marathon bombing

Tragedy inspires threats both true and false

By Iain Thomson in San Francisco

Posted in Security, 17th April 2013 22:18 GMT

The scummier end of the online community has been quick to use Monday's bombing of the Boston Marathon as bait for multiple malware dispersals, plus a spot of old-fashioned online fraud along the way.

Within 24 hours of the blasts, the ISC reported that 234 potentially fake domains have been registered featuring mention of the attack. Some have started soliciting donations (including one asking for Bitcoins – evidently confident that the current $90 unit price will rise again) but there are no reports of spammers using them, as yet.

It should be pointed out that a few of these domains were bought by people looking to stop squatters, and most are "parked" or dead-end links at this stage. John Bambenek, ISC member and founder of Bambenek Consulting, said the figures were rather a positive sign.

"I would have thought this would have picked up quicker than it had," he said. "That said, it did give me the impetus to finish scripting a few things to basically monitor these domains automatically to start looking for indicators and to see when (or if) they ever come out of 'parked' status."

Meanwhile, malware distributors are relying on the age-old principle that people will click on URLs without thinking if they're really interesting in the subject. It's a tactic that has worked for over a decade and probably always will, given the fundamental Layer Eight problem of human curiosity and stupidity.

Sophos, Kaspersky, and AVG are warning of the tactic being used to spread the Windows Trojan Tepfer, usually in emails entitled "Explosion at Boston Marathon." The link for more information comes with an IP address and an HTML page ending in "news.html" or "boston.htm" that leads to a page of videos. 60 seconds later the Trojan tries to install itself in the background.

Not to be left out, scammers are trying to seed a second piece of malware, this time a JAR file aimed at getting past flaws in Oracle's Java. This URL, in a similar format, redirects the user to three other URLs that try and install the malware if it detects an unpatched vulnerability. Oracle released a combination patch for Java on Tuesday and users are advised to get it installed.

It's the Westboro Baptists again!

Meanwhile, it has been reported that Anonymous has taken over the Facebook page of America's least-favorite poster-children for free expression, the Westboro Baptist Church (WBC).

This small cult of around 100 members, based around the Phelps-Roper family in Kansas, passes its days protesting at funerals of military and high-profile celebrities with the message that everything bad in America happens because of its acceptance of the homosexuality. As a sideline, WBC members include many lawyers fond of suing people for large damages if they get punched.

Shortly after the twin blasts at the finishing line of the Boston Marathon, the WBC issued a press release saying that they would be attending the funerals of the three people killed, replete with their customized "God sent the bombs" signs. They also said they planned to protest Thursday's memorial service at the city's Cathedral of the Holy Cross.

"Massachusetts invited this special wrath from God Almighty when it was the FIRST STATE to pass same-sex marriage on May 17, 2004," the WBC said. "As a direct and immediate result of that first step down the slippery slope to nationwide fag marriage, God sent the devastating bombs to the Boston Marathon."

This prompted a response from the Twitter feed of @YourAnonNews threatening the WBC with the usual "expect us" warning. Then crackers claiming to be from Anonymous appeared to have taken over the Facebook page of the WBC to post pictures of kittens, jokes, and inspirational sayings.

This was originally reported as a hack, but looks more like a case of brand-jacking. The WBC deny having a Facebook page (preferring to tweet instead) and Anonymous have pointed out that @YourAnonNews is not an official organ of communication. ®

Bootnote

While not a Bostonian, this El Reg hack has many friends born and bred there and once spent a memorable Thanksgiving in that wonderful city that permanently damaged his liver. It's going to be very tempting (and somewhat in keeping with the city's character) for Bostonians to take a swing at the WBC, but please refrain; it only encourages them.