Skip to content

2013 Press Release

Cyber-criminals take advantage of the Boston Marathon Explosions to Steal User Information

[Taipei, 22 April, 2013] In less than 24 hours after the explosions at the Boston Marathon, the leading global security company Trend Micro Incorporated (TYO:4704) detected more than 9,000 spammed messages relating to the tragic incident that took 3 lives and left many injured. Some spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video” and “Video of Explosion at the Boston Marathon 2013″ in an attempt to trick curious and concerned users into downloading malware that would lead to the theft of their credentials.

Figure 1. Sample spam email related to the Boston Marathon explosions

These spammed messages only contained a single URL link, http:// {BLOCKED} / boston.html. Once clicked, the webpage will display an embedded YouTube video of the Boston Marathon explosions. However, at this point users who clicked the link would have also unknowingly downloaded a worm program called WORM_KELIHOS.NB.

Figure 2. Malicious web page with the embedded video


Once this worm infects a user’s computer, it obtains user credentials from different File Transfer Protocols (FTPs) such as LeapFTP, P32bit FTP, FTP Control, SecureFX, BitKinex, and FileZilla. It also steals affected users’ Bitcoin wallet and other data (email addresses, etc.) on the affected computer’s local drive for further profit.

Trend Micro noticed that this worm was carefully designed so that the download link points to varying IP addresses every time it is accessed in order to hide its origin. Currently these IP addresses are traced back to several different countries including Argentina, Australia, Netherlands, Japan, Russia, Taiwan, and Ukraine.

Further analysis by Trend Micro also showed WORM_KELIHOS.NB could also be transmitted via USB and to other removable devices. Upon being transferred, the worm hides all the folders on the removable drive and replaces them with a .LNK file that appears as a folder icon. Although this folder can be accessed, the user would also unknowingly be executing a malicious command before the requested action could be completed.

Figure 4. Removable drive infected by WORM_KELIHOS.NB

Spreading like wildfire

In addition to this spam sample and spreading the worm through removable devices, other social media platforms were used to exploit similar threats. For example, malicious Tweets and links on free blogging platforms crafted just hours after the blast were launched for the purposes of stealing money, resources, and identities.

Figure 6. Malicious Tweets and blog posts

Exploiting people’s curiosity of global concerns has always been a staple of cybercrime attacks. This goes to show that a cybercriminal’s work never ends. The Trend Micro Smart Protection Network can now detect and block all related spammed messages and all associated URLs to protect its customers from attacks of this nature.

For further information on this threat, please check:

Connect with us on