Jeremy Scott | July 19, 2012
The Solutionary Security Engineering Research Team (SERT) has been receiving a significant amount of malicious emails luring would-be victims to hosts running the Blackhole Exploit Kit.
Gameover Zeus and Cridex are popular banking Trojans that steal victim’s bank account information to be used to make fraudulent charges on the victims’ accounts.
As usual, the danger comes not from the email itself, but from the referenced site that holds the Blackhole Exploit Kit. If you click on the link and proceed to the page, you are in danger of infection from additional malware and account compromise.
The following image is an example of an email with the embedded hyperlink.
The following image is another example received that had an attached HTML file. The file attached to the email had the filename Wire_NFED_Rejected.htm. Instead of linking to a compromised website for redirection to the Blackhole Exploit Kit landing page, the attachment contains a direct link to the landing page.
The subject lines used in the malicious spam campaign can vary, but are all related to a "Wire Transfer Confirmation". The reference number enclosed in the parenthesis varies or is completely nonexistent.
If a victim clicks on the hyperlink or opens the file attachment, they will be displayed with page in their browser with the following message:
"Please wait a moment. You will be forwarded...".
The following image displays part of the deobfuscated code. The script is run by the victim’s browser and redirected to the Blackhole Exploit Kit landing page.
I continue to stress the same recommendations when dealing with suspicious emails.
- Don't respond to suspicious e-mails.
- Don't click links in suspicious e-mails.
- Delete suspicious e-mails and move on.
At Solutionary we advise our clients of data security good practices such as these, as well as alert them of recent vulnerabilities through research done by our Security Engineering Research Team (SERT).
See how Solutionary managed security services based on the patented ActiveGuard® Security Compliance Platform combine security intelligence and expertise to provide visibility, threat detection and event response.
POST A COMMENT