Spammers were quick to take advantage of the tragic plane crash in Brazil this week.
Researchers at Websense Security Labs reported that a new spam campaign is using this week's crash to lure unsuspecting users to a malicious Web site. The e-mails link to a Web site that purports to contain information on the people onboard the plane, but actually simply infects the users' computers with malware.
On Tuesday night, an Airbus 320 with about 176 people onboard skidded off a runway during landing at an airport in Sao Paulo. The jetliner, which was owned by TAM Airlines, hit an office building and gas station, creating a fire that took hours to extinguish.
According to Websense, the message on the malicious Web page reads, "TAM reports that flight JJ3054 has taken off from Porto Alegre with 170 people onboard, between passengers and employees plus six more crew members (commanders and flight attendants). As soon as their names are confirmed, we'll notify the families before any further information becomes public, as determined by existing law TAM has made public all information available so far. Any relevant information will be provided immediately from TAM."
Websense reported in an advisory that users are prompted to run some code. However, when the code is launched, a Trojan Downloader is installed on the users' computers. The malware then connects to another site to download and install an information-stealing Trojan Horse.
The Web site, which has been compromised, is hosted in Korea. Websense researchers say this isn't the first time the site has been taken over to host malicious code.
Spammers generally are quick to take advantage of headline-grabbing tragedies.
In April, spam that promised images of the shootings at Virginia Tech began hitting inboxes worldwide. The spam carried a photograph of gunman Cho Seung-hui, who killed more than 30 students and teachers at the Virginia school before killing himself. The e-mails claimed to link to a Brazilian Web site carrying movie footage of the campus shootings, according to researchers at Sophos. Instead, curious uses who connected to the site were infected with spyware that acted like a banking Trojan.