The tragedy that is Malaysia Airlines Flight 17 has sparked plenty of outrage, grief, and dismay on Twitter. Discussions related to recent developments and breaking news have been going non-stop since the plane was shot down by pro-Russian rebels on Thursday.
Seeing an opportunity, criminals have targeted those discussions in order to spread malware.
The method is called hashjacking, which is a term used to describe the act of leveraging a trending hashtag in order to spread your own message. In this case, while people are using #MH17 to discuss the tragedy and current developments, criminals are using it to spread malicious URLs.
As seen in the image above, the account is directing people to a *.tk domain, and using the #MH17 hashtag in order to get as many eyes on the URL as possible.
This example is just one of several that have targeted the MH17 story, and at present, nearly 500 messages pointing to malicious URLs have been posted.
For now, the links point to one of two possible servers, both hosted on IPs in the US. The domains that are connected to them are a mix of malicious and legitimate. Researchers at Trend Micro speculate that the traffic to the legitimate domains is being used to spike traffic and garner ad views.
"On the other hand, the malicious domains associated with these IPs, are connected to a ZeuS variant detected as TSPY_ZBOT.VUH and SALITY malware. ZeuS/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security," a blog post on the attacks explains.
Online, criminals are known for targeting current events for nefarious reasons. Social media has extended their reach, whereas before they would use Black Hat SEO techniques and poison search results to conduct their schemes.
The MH17 tragedy is just the most recent example. Previously, in recent times, criminals targeted the Flight 370 disappearance, and the Boston bombings.
For now, the best source of information is going to be the BBC, or other international news source. It's best to avoid links that use *.tk as the URL's extension.