Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Voice Mail Notifications and ADP Emails Lead to Blackhole Exploit Kit

View all posts > 

Voice Mail Notifications and ADP Emails Lead to Blackhole Exploit Kit

Posted: 13 Sep 2012 02:00 PM | Ran Mosessco | 1 comment(s)


Since Blackhole Exploit Kit 2.0 was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email.

 

Websense® ThreatSeeker® Network has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit. Some of the themes were new to us and some familiar.

 

One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com. Like other malicious social engineering campaigns, these email campaigns try to lure victims to click links that ultimately lead to pages hosting Blackhole Exploit Kit. A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters.

 

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

 

The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version.

 

ADP is one the largest names in payroll services, so it's no surprise that a spoofed ADP notification email is used as a lure.

Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":

 

 

Let's follow one of the possible redirection paths:

hxxp://allbarswireless.com/HXwcDdQ/index.html
hxxp://ash-polynesie.com/AjVSXvus/js.js
hxxp://108.60.141.7/tfvsfios6kebvras.php?r=dwtd6xxjpq8tkatb
hxxp://108.60.141.7/links/differently-trace.php

Please refer to our previous blog post to learn more about the landing page.

 

Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message."

 Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":

 

 

 

The redirection chain here is similar:

hxxp://www.tryakbar.com/tLbM3r/index.html
hxxp://sportmania.so/JP3q2538/js.js
hxxp://173.255.221.74/tfvsfios6kebvras.php?r=rs3mwhukafbiamcm

The landing page shows similar content to the previous example. See here.

 

Another scheme thanks the user for signing up for a premium service.

Subject lines include "Thank you for activating paid services":

 

 

 

Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:

hxxp://www.svstk.ru/templates/beez/check.php
hxxp://bode-sales.net/main.php?page=3c23940fb7350489

 

And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended.

Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"

 

 

Here again, simple redirection leads to typical "/main.php?page=" type URLs.

hxxp://kahvikuppi.org/achsec.html
hxxp://afgreenwich.net/main.php?page=0f123fe645ddf8d7

Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability.

 

 

 



Comments

Tod said on Wednesday, October 31, 2012 1:59 PM

Thank you very much for the information and the screen shots. I received an email that looks exactly like the 'paid services' example you mentioned. I must admit, the 'paid' part made my anxiety level go up, but I was not going to click on anything until I did some research. I landed on this web page and now I am convinced that I was wise to just delete the email.

Thanx again,

tod


Leave a Comment

(required)  

Email address: (required)