Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Fake ‘Amazon order’ email exploits recent Java vulnerability CVE 2012-4681

View all posts > 

Fake ‘Amazon order’ email exploits recent Java vulnerability CVE 2012-4681

Posted: 02 Sep 2012 09:44 PM | Xue Yang | 1 comment(s)


Following our recent blog posts regarding the propagation of Java vulnerability CVE-2012-4681 (New Java 0-day used in small number of attacks) and its subsequent inclusion in the infamous Blackhole Exploit Kit (New Java 0-day added to Blackhole Exploit Kit),  the Websense® ThreatSeeker® Network has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit.


If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data.


Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681) and Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine.


On 1st September, Websense® ThreatSeeker® Network intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:   




Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit – in this case, hxxp://atjoviygdm.dnset.com/main.php?page=8e2cf5bb67d777a4 . The Payload view below highlights the Java Archive ‘Leh.jar’ which is then used to exploit CVE-2012-4681 should the victim’s machine be vulnerable, an analysis of this file can also be found on VirusTotal.



The obfuscated JavaScript above (de-obfuscated version below) attempts to profile the visiting machine, such as determining the browser type and version as well as the Adobe Flash, Adobe Reader and Java versions, and then based on this information selects the ‘best’ exploit to use against this particular victim.   




This email campaign further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques in order to exploit both recent software vulnerabilities and the trusting nature of end-users.



JSA said on Thursday, September 20, 2012 10:19 AM


 Your Orders  | Your Account | Amazon.com  

Order Processing Confirmation  

Order #002-1595875-41975714  


Thank you for shopping with us. We thought you want to see that we shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Your estimated order delivery date is:

Friday, September 21, 2012

Why tracking information may be unavailable?

Your order was sent to:


384 S Academy Ave, App. 0A

Prospect, CA

United States

This shipment doesn't have an associated delivery tracking number.

Conveyance Data

 Sceptre 42LW5391, SV 44-Inch 720p 600 Hz Cinema 3D LCD HDTV FullHD and Four Pairs of 3D Glasses

Sold by trenter

Condition: not-used before


Item Subtotal:  $590.79  

Shipping & Handling:  $26.33  

Total Before Tax:  $590.79  

Shipment Total:  $590.79  

Paid by Cashe:  $590.79  

Returns are easy. Visit our Online Return Center.

If you need further assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!


Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

Leave a Comment


Email address: (required)