Fake CDC vaccine e-mail leads to malware

AppRiver warns of scammers preying on public interest in the H1N1 vaccine through an e-mail purporting to come from Centers for Disease Control.

Updated 5:10 p.m. PST with information about later versions of the e-mail campaign directing to a landing page with hidden code that uses an Adobe exploit to try to download malware onto the system.

The e-mail appears to be from the CDC but directs people to a fake CDC site that serves up a Trojan. AppRiver

You can ignore that e-mail that looks like it comes from the U.S. Centers for Disease Control and Prevention about creating a profile for an H1N1 vaccination program. It's a malware scam, according to security provider AppRiver.

The fake alert informs recipients that as part of a "State Vaccination H1N1 Program" they need to create a profile on the CDC Web site. The link in the e-mail goes to a fake CDC page where the visitor is assigned a temporary ID and a link to a vaccination profile that is actually an an executable file containing a copy of the Kryptik Trojan targeting Windows, according to an AppRiver blog post on Tuesday.

Once installed, "this Trojan will create a security-free gateway on your system and will proceed to download and install additional malware without your authorization," the post warns. "It also enables a remote hacker to take complete control of your computer. This malware can log your typed keystrokes and send confidential personal and financial data (including banking information, credit card numbers, and website passwords) to a remote hacker."

AppRiver said it was seeing the fake CDC e-mails at a rate of nearly 18,000 messages per minute, reaching more than 1 million in the first hour alone.

The malware campaign apparently got more dangerous as the day wore on. In later iterations of the fake CDC e-mail, the landing page that the link led to contained a hidden iFrame that pointed to a site hosted in Ukraine, according to Symantec. In the background, the iFrame checks to see if the system is running an unpatched version of Adobe Reader, Acrobat or Flash Player and if so it uses an exploit to download a file to the system, the company said.

"During testing, our detections picked up the Adobe exploitation attempts using generic IPS and AV signatures," a Symantec spokesperson said.

This screen shot shows the fake CDC Web page that is distributing the Trojan. AppRiver

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Delete your photos by mistake?

Whether you've deleted everything on your memory card or there's been a data corruption, here's a way to recover those photos.