Reported spam using the Cyprus tax topic

A few days ago, one of our partners sent us interesting spam messages for analysis. These messages contained information on a popular media topic on the introduction of a one-time tax for bank accounts of Cypriot bank clients. It is known that this information literally blew up the media space and gave rise to various speculations about this tax. At the time when all sorts of messages began to appear in the media, the Parliament of Cyprus did not vote for the introduction of this tax, and later it became known that this decision was not made, as the bill was not approved. At the same time, we recorded activity from the attackers, who exploited this topic and the hype around it for their own purposes. These intruders sent messages with headlines hinting that the Parliament of Cyprus approved a bill on the introduction of a tax on deposits. The spam message contained a small text, the subject of which was the intimidation of the user on the fact that the bill was approved in parliament. At the same time, the letter looked like it was sent from the BBC television company.



One of these messages was as follows:
')


All links in the message disguised as BBC news actually send the user to the hxxp: //go-my.ru/cyprus_news.html web page, from which he is redirected to the Blackhole Exploit Kit exploit page and then install the Cridex Trojan ( Win32 / Cridex.AA ). We recorded that Blackhole used one of the latest Java exploits CVE-2013-0431, detected by us as Java / Exploit.Agent.NMK .





After infection, the user is redirected to the BBC news home page, on which, of course, he can see that the situation is not as dramatic as it seemed at first glance.





As a result of the attack, Win32 / Cridex is installed on the user's computer ( the distribution map of this threat can be seen on our Virus Radar).

These phishing links mentioned in spam are blocked by our anti-virus products.