Operation Pawn Storm is the name given to a malware campaign that was first reported by Trend Micro back in 2014. Despite the long running nature of the campaign, it appears that Pawn Storm is still active and targeting new websites. The latest ploy comes in the form of the website for the Electronic Frontier Foundation.
The latest phase in the Operation Pawn Storm malware campaign started about a month ago. Pawn Storm makes use of Spear Phishing; malware propagation in the form of email which pretends to be from a business or individual that the user knows. The malicious email will contain a link to a website that the user is familiar with, but with a typo in the actual link (For example, Googel.com instead of Google.com). These typo squatted domain names will take the user to a website that has been designed to mimic the real thing, but which contains a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java payload is received, the URL is disabled and will no longer deliver malware. This is done to make it harder to discern how the malware was spread in the first place. The attacker is now able to run any code on the users’ machine and will often be used to spread further malware.
The Electronic Frontier Foundation website itself may not be high on your regular viewing habits but similar Phishing sites and campaigns have become increasingly common. If you go through almost any email spam folder you will find messages from familiar services and websites. Take a closer look at the sender information for these emails and you will see that the name of the sender and the actual email address don’t match. These are the unsophisticated versions of the same techniques used above. The difference being that the more advanced versions of the attacks will make it through a spam filter and land in your inbox.
The lesson here is to be mindful of the media you view from your email. If you are connecting to any account based website, it is wiser to type the URL of that website directly, instead of relying on a provided link. If you must follow a link, take a few extra second to hover over the URL in the email and check where it is sending you first. If something looks suspicious, find a different way to access that content. Finally, the golden rule for email still applies, if you don’t know the sender of the email, don’t click the link! It’s better to be safe than to become a host for malware.
– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer