Video Screencast Help
Security Response

Michael Jackson has “Gone Too Soon.” Spammers Never Let Go

Created: 01 Jul 2009 00:04:12 GMT • Updated: 23 Jan 2014 18:34:28 GMT
Vivian Ho's picture
+1 1 Vote
Login to vote

The Internet has gone wild since Michael Jackson, the “King of Pop,” was reported dead on June 25. Symantec Security Response has already blogged about how we observed spammers trying to capitalize on this event in many ways, both with messages including malware, and scams tied to this talented celebrity’s death. We expect that spam and malware will keep coming in, given Michael Jackson’s popularity and following. Recipients should be extra cautious about messages that appear to be related to Jackson’s death, especially any email that comes from an unknown or unexpected source.

The following are some examples of what we have seen circulating:

Sample 1.1

Spammers hide behind a spoofed message, which appears as a rip-off of a familiar social network notification, in an attempt to try to trick recipients to open a malicious URL.

imagebrowser image


Sample 1.2

Spammers are disguised as a press organization and attempt to lead recipients to a malicious URL (jackson.com is detected as W32.HLLP.Sality.O).

From: folha online <sp@folhadesaopaulo.com.br>
Subject: Ultimas noticias de Michael Jackson

Translation:
Subject: Latest news from Michael Jackson

Body Translation:

[Content Details Removed]
...his home and was admitted to hospital in a state of coma.

Full coverage: Jackson dies see the latest unpublished photos

[Content Details Removed]
...that can be downloaded at the official site of the singer here.

http://www.michaeljackson.com/the_jackson_discography

imagebrowser image

Sample 2

Spammers send out content related to the star’s cause of death, along with an embedded .jpg link that leads users to a malicious binary file (W32.Pinfi).

Translation:
[Content Removed] ...in all the papers, the death was the result of/caused by drug use!

see photos

http://xrl.us/beym7m?DSC_803.jpg

imagebrowser image

Sample 3

The 419 scam—A spammer, pretending to be a Michael Jackson concert ticket officer based in London, sends out a message that requests the recipient’s information in order to receive ticket reimbursement.

From: "Michael Jackson concert{London}"<payee.representive@ xxxxxxxxxxx.xxxxx >
Reply-To: <payeerepresentive@xxxxxxxxxxx.xxxxx>
Subject: Reimbursement due to death of Pop King{Michael Jackson}

imagebrowser image

 

----------

Author's Note: My thanks to my colleagues and key contributors to this blog post: Ruby Yang and Eric Lin.