Spammers got busy when Michael Jackson died

LAS VEGAS -- When Michael Jackson died on June 25, his fans mourned — and cybercriminals swung into action.

Within 38 hours, they forged alliances with familiar partners to trigger global spam campaigns that capitalized on the singer's death.

That was a potent reminder of the dangers that computer-savvy lawbreakers pose in a world that increasingly depends on the Internet for communications and commerce.

"Cybercriminals hunt prey with a velocity that's impossible for legitimate businesses to match," says Patrick Peterson, Cisco chief security officer.

The attacks after Jackson's death will be fresh on the minds of about 4,000 corporate managers gathering Wednesday to discuss cybercrime defenses at the annual Black Hat Vegas security conference.

"The bad guys are very adept at using Internet technologies," says Dave Marcus, director of research and communications at anti-virus firm McAfee. "And unlike the good guys, they aren't restrained by any laws or jurisdictional boundaries."

Like most large-scale cyberattacks, the Jackson spamming runs were carried out by about a dozen elite crime gangs. Each controls networks of hundreds of thousands of infected home and workplace PCs, called bots, which they lease to clients who want to carry out scams.

Longstanding clients include sellers of non-certified pharmaceutical drugs, herbal remedies, replica designer goods and worthless anti-virus subscriptions. Their hard drives brim with e-mail and website marketing material and software to carry out online sales.

They attract attention by referring to headline news, including the election of President Obama, the swine flu outbreak — and celebrity deaths.

"They have templates ready so all they have to do is plug in words relating to a specific event," says John Harrison, director of Symantec's security response team.

So they were all set on the Thursday afternoon when news about Jackson's death began to spread.

Trolling for hot topics

"These groups monitor news outlets, Twitter and other social-media sites to discover hot topics," says Jose Nazario, manager of security research at Web security firm Arbor Networks.

Within a few hours, a smattering of amateurish spamming attacks began to appear. But the serious botnet gangs and cyberscammers took a little more time to coordinate large-scale campaigns.

By dawn on Saturday, a top botnet gang, Waledac, had a client: a well-known online drug retailer, GlavMed.com, also known as Canadian Pharmacy, Cisco senior researcher Henry Stern says.

The Waledac gang began deploying thousands of bots to spam out millions of e-mails with Web links purportedly leading to news about Jackson, he says. But the links actually redirected recipients to websites affiliated with GlavMed that sold sexual-performance drugs and pain killers.

A few hours later, another major botnet gang, known as Rustock, also blasted out Jackson-themed spam for GlavMed's online shopping sites.

"Rustock is run by a different group of criminals, but here it was spamming the same e-mails as Waledac on behalf of a common client," Peterson says.

A week after Jackson's death, criminals out to steal sensitive data or hijack online financial accounts began to move in. A major botnet gang called Pushdo launched a large-scale spamming campaign with enticing messages including: "Who killed Michael Jackson? Visit X-Files to see the answer." A Web link followed.

Clicking on it triggered what's known as a "drive-by download." The attacking bot scans for security holes in popular applications such as Internet Explorer, QuickTime and Adobe Acrobat Reader.

Breaking in

When it finds one, it swiftly secures access to the heart of the operating system, giving botnet controllers an opening to install any programs they want, including one called a root kit that makes the opening permanent.

Pushdo's client also paid the gang to install a customized version of a malicious tool, called Zbot, that watches for when the PC user logs on to any banking website. Zbot then steals the user name and password and forwards it to the client.

As with most drive-by downloads, the Pushdo gang got a bonus. The opening created by the bot remained in place after the client's work was done, giving the gang another bot for hire.

"This was just another routine spam campaign by Pushdo, but it had a malicious twist," says Phil Hay, lead threat analyst at security firmMarshal8e6.