Spammed malware links pose as royal baby, Spanish train disaster news

People are attracted to news, and when the news is big, the attraction is urgent.  Spammers have known this for years, and both the recent royal birth and a horrific train accident in Spain has tempted them to dust off their fake CNN news alert templates.   The honeypots at Barracuda Labs are seeing high volumes of this using a wide variety of hacked websites as their destinations.

Notice how this campaign still carries a subject line “Perfect gift for royal baby… a tree?” even as the content was changed to a fake video preview of the train disaster.  Even spammers have a tough time keeping their stories straight.

CNN news alerts are a favorite spammer target because people sign up to receive them and expect to see them in their inbox.  This familiarity and trust means less suspicion and more clicks.  That's dangerous here, because the links in this email have nothing to do with CNN.  Instead, an ill-considered click takes you to a hacked website whose response loads JavaScript from other hacked websites -three different ones, for redundancy.

In turn, the small bit of JavaScript that is retrieved redirects the browser to an attack site elsewhere.

While this site is currently unresponsive, the usual result would be exploitation of the browser and installation of a backdoor or password stealer.

As always, treat all of your email as guilty until proven innocent.  Unless you really need to, don't even bother giving it a trial.  Any news you receive in an update or newsletter should also be available on the website of the organization whose name appears on the email.  Don't take chances – instead, use a few more keystrokes to go directly to the website.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.