Cyber Attackers Pose as New York Times

Symantec's MessageLabs tells WebProNews there is a new targeted attack using emails pretending to be from the New York Times. MessageLabs Intelligen...
Cyber Attackers Pose as New York Times
Written by Chris Crum
  • Symantec’s MessageLabs tells WebProNews there is a new targeted attack using emails pretending to be from the New York Times. MessageLabs Intelligence tracked the attack yesterday, which used emails pretending to come from the NYT’s "Times Reader" software, hitting six different domains. One domain was a public sector domain, one was a law firm, and three were to chemical companies, and one was an online gambling company in the UK.

    "The email attacks originated from Greece from IP address 83.253.67.30 (aiolos.otenet.gr)," a MessageLabs representative tells us. "MessageLabs Intelligence can’t see this being used as a botnet."

    Attackers Disguise themselves as New York Times - Times Reader

    "When executed the "Times Reader Plugin.exe" uses iexplore.exe to send encrypted data over port 443 to 82.103.136.9," she continues. "It resolves to an address in Denmark, which looks like a computer on a home network. It doesn’t display anything when you run the exe, so the victim wouldn’t know they have been infected. The only indication is an iexplore.exe process running when there is no IE browser session open. It drops 2 files in the C:\windows\system32 directory as rundl32.exe and also rundl32. This dropped virus is a keylogger with rundl32 file containing what it is you are writing. After a while, the virus shuts down and deletes itself."

    While the attack appears to be very targeted, it may prove to be a good idea to watch for such emails, particularly if you are a user of Times Reader.

     

    Get the WebProNews newsletter delivered to your inbox

    Get the free daily newsletter read by decision makers

    Subscribe
    Advertise with Us

    Ready to get started?

    Get our media kit