10 Oct 2012 03:45 PM
The Websense® ThreatSeeker® Network has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US. Specifically, we have detected thousands of emails with this kind of content:
As noted recently, we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:
The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.
The links found in the spam emails usually has this kind of content:
The purpose of this flow as usual is to install a malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:
PDF - MD5: 69e51d3794250e3f1478404a72c7a309
JAR file - MD5: 03373056bb050c65c41196d3f2d68077
about.exe - MD5: 9223b428b28c7b8033edbb588968eaea
More information on the behavior and activities of about.exe can be found in our Websense ThreatScope™ report:
Each URL shown above contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code. So far, we have detected thousands of emails blocked by our Cloud Email Security technology:
Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine).