Endpoint Protection

Strange stories of celebrities' deaths resulting from plane crashes or car accidents have suddenly erupted in the spam ring. The intention of distributing such false news is to spread viruses using HTML or zipped attachments. This is one more in a series of recent virus attacks seen in the last few weeks. We had written about one of the attacks in a recent Security Response Blog post. This is an old trick of using celebrity names to lure recipients into opening malicious URLs or attachments.

In one of the campaigns seen, spammers are using subject lines showing that a celebrity has died. Examples include:

• Beyonce Knowles died
• Bon Jovi died
• Brad Pitt died
• Cameron Diaz died
• David Beckham died
• Gwen Stefani died
• Jay-Z died
• Jennifer Aniston died
• Jennifer Lopez died
• Johnny Depp died
• Justin Timberlake died
• Kanye West died
• Miley Cyrus died
• Nicole Kidman died
• Ronaldinho died
• Tiger Woods died
• Tom Cruise died

In the message it adds that the celebrity has died along with 34 other people when their plane carrying the group on a trip crashed into a mountainside while approaching the airport. For further details, recipients are asked to open the malicious attachment. In another example, we observed that the subject lines were changed to show that the celebrities had a fatal car crash and they were killed in that accident.

Sample image of the message:



We could find the same celebrity names used in the subject lines as seen in the first example:

• Beyonce Knowles Fatal Car Crash
• Brad Pitt Fatal Car Crash
• David Beckham died
• Gwen Stefani Fatal Car Crash
• Jay-Z Fatal Car Crash
• Jennifer Aniston Fatal Car Crash
• Kanye West Fatal Car Crash
• Madonna Fatal Car Crash
• Miley Cyrus Fatal Car Crash
• Oprah Winfrey Fatal Car Crash
• Ronaldinho Fatal Car Crash

Upon opening the zipped attachment named “[REMOVED]Hot News.zip,” we find an executable. The malicious content is detected as Trojan.Zbot by Symantec antivirus products.



Spammers are known to create curiosity with their spam messages so that users become interested and make an attempt to open and perhaps even install the executable. Using brand names such as well-known news agencies or using a celebrity's name gives the spammers much needed credibility in order to gain the recipients' trust. Users should follow standard practices of not opening any suspicious links or attachments received in unsolicited email or from an unexpected source.

Note: Thanks to Anand Muralidharan for the contributed content.