Margaret Thatcher’s Death Used in Cyber Attacks

As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Intelligence Cloud have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the "Re:
Fwd:" notation
. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.

When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here.  Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.

Server-side polymorphic technology has been applied to evade traditional AV detection. 

It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of  the following subjects:


Fwd: Dollar Bank bankruptcy

Re: Shedding light on 'dark matter'

Re: Why Washington is corrupt

Re: Kissinger: Thatcher's strong beliefs

Re: Tax havens busted

Fwd: Re: First Citizens Bank bankruptcy

Fwd: Re: Living large in Don Draper's New York

Fwd: Re: Kissinger: Thatcher's strong beliefs

Re: Fwd: California Bank & Trust bankruptcy

Fwd: Re: Bank of America bankruptcy

Fwd: Allowing knives on planes is 'insane'

Fwd: Re: War with N. Korea

Fwd: Air Canada goes 'Gangnam style'

Fwd: Re: NASA plans to catch an asteroid

Re: Fwd: Dollar Bank bankruptcy

Fwd: Why Washington is corrupt

Fwd: Blast kills 29 on bus in New-York

Fwd: Shedding light on 'dark matter'

Fwd: Re: Marikana massacre aftermath

Re: Fwd: Kissinger: Thatcher's strong beliefs

Fwd: Re: PNC Bank bankruptcy

Re: Fwd: Bank Of The West bankruptcy

Re: Fwd: M&I Bank bankruptcy

Re: Bank Of The West bankruptcy

Fwd: Bank Of The West bankruptcy

Re: Fwd: PNC Bank bankruptcy

Re: Bank of America bankruptcy

Re: Fwd: War with N. Korea

Re: California Bank & Trust bankruptcy

Re: Blast kills 29 on bus in New-York

Re: Fwd: Blast kills 29 on bus in New-York

Re: Sending out SOS for 'America's flagship'

Re: Fwd: Marikana massacre aftermath

Re: Living large in Don Draper's New York

Re: War with N. Korea

Fwd: Re: Death penalty 'harms Bali's reputation'

Re: Fwd: Death penalty 'harms Bali's reputation'

Re: PNC Bank bankruptcy

Re: NASA plans to catch an asteroid

Re: Northern Trust Bank bankruptcy

Fwd: Tax havens busted

Re: Fwd: Why Washington is corrupt

Re: Fwd: Tax havens busted

Fwd: M&I Bank bankruptcy

Re: Fwd: Fashion designer Lilly Pulitzer dies

Re: First Citizens Bank bankruptcy

Re: Fwd: Shedding light on 'dark matter'

Re: Fwd: Living large in Don Draper's New York

Re: Fwd: Northern Trust Bank bankruptcy

Fwd: Re: California Bank & Trust bankruptcy

Re: Air Canada goes 'Gangnam style'

Re: Fashion designer Lilly Pulitzer dies

Re: Dollar Bank bankruptcy

Fwd: Sending out SOS for 'America's flagship'

Websense technologies can protect customers in a multi-stage attack:

  • Websense email security blocks the malicious email.
  • Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
  • Vunlerability files and the payload trojan are detected by Websense Gateway products.
  • Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).