Gallery

Johnny Depp isn't dead - good security practice is

Posted on 20 Apr 2010 at 11:59

Davey Winder is dismayed as cybercriminals once again take advantage of our obsession with celebrity

I was equally in no doubt that the story would become more about online security – especially since the US hadn’t yet woken up on that Sunday morning and there was bound to be a mad dash for confirmation or denial of the rumour. I was right, and in my original story I warned readers not to click too many links about Johnny Depp being dead because “celebrity malware spammers will be joining in soon enough”.

I followed this up a couple of hours later with a security-focused piece that predicted that malware merchants would soon be coming out to play with this story while it was hot, noting that “the search engines are currently buzzing with folk desperately trying to find out the truth”, and warned that inevitably malicious link campaigns were already being organised. When that “RIP Johnny Depp” thread became a trending topic on Twitter, at the same time it became the act of conception for a malware storm that would be born within 24 hours.

And so it was the next morning that the spam started spreading. Email messages promising to reveal the truth about Johnny Depp, to expose the cover up of his death, and even to deliver video of the non-existent crash site started to appear. Their common thread was that they all contained a link for grief-stricken and confused fans, the news-hungry and the plain hard-of-thinking to click on for more information, which purported to lead to major news organisation coverage or to play the sick video footage.

Never install a plugin from anywhere other than its original publisher – be that Adobe, Microsoft or whoever

In fact, all these links would simply take a mug punter to a malware site – the video link promptly downloaded a malware package using the usual “needs a new codec” scam, or else the mere act of visiting the site triggered the usual exploit of unpatched browser vulnerabilities. But even those who can resist reading spam and who don’t click the links in spam weren’t safe. They could still fall victim to search engine poisoners, who employ Black Hat search engine optimisation techniques to get their malicious pages high enough up the hit list to grab some of the action when fans searched for news about the death of their hero.

YouTube footage

Even YouTube was flooded with malicious video footage that claimed to show the death crash scene, but actually just tried to lure you to another malware site. My mate Graham Cluley, senior consultant at security outfit Sophos, even went so far as to put his own video on YouTube to intercept those searching for Johnny Depp Death Crash videos and show them how the malware merchants work this scam (which, by the way, was more often than not done by asking you to install an ActiveX plugin to view the sick video, which in reality was nothing more than a trojan).

It amazes me that people still fall for this trick, but so many people are so desperate to believe and belong, it seems they’ll do whatever a web page tells them. Just for the record, you should never install a plugin to view content from anywhere other than a website you trust 100%. In fact, I’d go further and say never install a plugin from anywhere other than its original publisher – be that Adobe, Microsoft or whoever. Cut out the middle men, even if they appear to be 100% trustworthy, just to be on the safe side.

By the time you read this the whole Johnny Depp is (or isn’t) dead story will have died itself, as the shelf-life of such a tale in terms of its malware window-of-opportunity is fairly short. Sure some of the bogus pages and links will remain active beyond this time, but most will shut up shop for fear of getting caught, or even because they have been caught by security vendors and closed down by their web hosts.

Sadly enough, there will be another story to hitch a malicious ride on along very soon – enough of them to ensure that this kind of malware is of increasing concern to those of us in the security business. All we can do is keep on trying to get the “stop and think before you click that link” message across, and keep telling everyone that common sense and up-to-date antivirus software are the best defence against these cyber-scumbags.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site