As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Network have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the "Re: Fwd:" notation. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.

When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here.  Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.

Server-side polymorphic technology has been applied to evade traditional AV detection. 

It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of  the following subjects:

Fwd: Dollar Bank bankruptcy

Re: Shedding light on 'dark matter'

Re: Why Washington is corrupt

Re: Kissinger: Thatcher's strong beliefs

Re: Tax havens busted

Fwd: Re: First Citizens Bank bankruptcy

Fwd: Re: Living large in Don Draper's New York

Fwd: Re: Kissinger: Thatcher's strong beliefs

Re: Fwd: California Bank & Trust bankruptcy

Fwd: Re: Bank of America bankruptcy

Fwd: Allowing knives on planes is 'insane'

Fwd: Re: War with N. Korea

Fwd: Air Canada goes 'Gangnam style'

Fwd: Re: NASA plans to catch an asteroid

Re: Fwd: Dollar Bank bankruptcy

Fwd: Why Washington is corrupt

Fwd: Blast kills 29 on bus in New-York

Fwd: Shedding light on 'dark matter'

Fwd: Re: Marikana massacre aftermath

Re: Fwd: Kissinger: Thatcher's strong beliefs

Fwd: Re: PNC Bank bankruptcy

Re: Fwd: Bank Of The West bankruptcy

Re: Fwd: M&I Bank bankruptcy

Re: Bank Of The West bankruptcy

Fwd: Bank Of The West bankruptcy

Re: Fwd: PNC Bank bankruptcy

Re: Bank of America bankruptcy

Re: Fwd: War with N. Korea

Re: California Bank & Trust bankruptcy

Re: Blast kills 29 on bus in New-York

Re: Fwd: Blast kills 29 on bus in New-York

Re: Sending out SOS for 'America's flagship'

Re: Fwd: Marikana massacre aftermath

Re: Living large in Don Draper's New York

Re: War with N. Korea

Fwd: Re: Death penalty 'harms Bali's reputation'

Re: Fwd: Death penalty 'harms Bali's reputation'

Re: PNC Bank bankruptcy

Re: NASA plans to catch an asteroid

Re: Northern Trust Bank bankruptcy

Fwd: Tax havens busted

Re: Fwd: Why Washington is corrupt

Re: Fwd: Tax havens busted

Fwd: M&I Bank bankruptcy

Re: Fwd: Fashion designer Lilly Pulitzer dies

Re: First Citizens Bank bankruptcy

Re: Fwd: Shedding light on 'dark matter'

Re: Fwd: Living large in Don Draper's New York

Re: Fwd: Northern Trust Bank bankruptcy

Fwd: Re: California Bank & Trust bankruptcy

Re: Air Canada goes 'Gangnam style'

Re: Fashion designer Lilly Pulitzer dies

Re: Dollar Bank bankruptcy

Fwd: Sending out SOS for 'America's flagship'

Websense technologies can protect customers in a multi-stage attack:

• Websense email security blocks the malicious email.
• Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
• Vunlerability files and the payload trojan are detected by Websense Gateway products.
• Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).

Following news of the death of Venezuelan President Hugo Chavez (as reported by the BBC) the Websense ThreatSeeker® Network has identified several malicious email campaigns that make reference to the President's death.  Malware authors are increasingly using breaking global news events as a means of propagating lures that lead to malware. 

Here is a screenshot typical of the emails we have seen in these campaigns:

We have tracked the following email subjects used in the campaign. As you can see, many of these lures try to increase a user's likelihood to click by adapting the current headlines with some fictional salacious content. 

• CIA murdered Venezuela's Hugo Chavez?
• CIA "DELETED" Venezuela's Hugo Chavez?
• CIA killed Venezuela's Hugo Chavez?

Upon opening the malicious email the recipient is presented with a link offering a video. Rather than displaying a video the website takes the user to page loaded with Better Business Bureau text references. 

Websense ACE proactively protected from day-0 (without update) in 2 ways: 1) Proactive detection of Blackhole Exploit Kit, for which this was an instance; 2) Proactive blocking of poor web reputation - the websites used in the campaign were already low enough to convict from day-0.  The payload websites that we have been tracking were registered little more than one week before the spam campaign was first seen.

Websense customers are protected by ACE, our Advanced Classification Engine. 

Lures and exploit kits are just one of many stages typical in an attack. Having protection from the early stages within the "7 Stages of an Attack" model reduces the risk of the success of an attack. If you break one link in the attack chain, you have mitigated your risk for this particular attack.

We've recently done a webinar on the "7 Stages of an Attack". Check out the archived discussion to learn how to disrupt the attack chain to prevent the download of malicious payloads and inhibit the successful execution of exploit scripts against vulnerability software. 

In general, spammers will try everything and stop at nothing to deliver content to users. When people don't trust one kind of email, spammers change their tactics and use something else. This process never stops, and is very interesting to follow. It's interesting, at least, if we know we're being protected.

Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of malicious email messages linked to the Phoenix Exploit Kit. Websense customers are and have been protected by the real-time protection in our Advanced Classification Engine, ACE.

As we have seen during last couple of weeks, blended attacks are being used more than ever before. Earlier, we saw spammers enticing users to pharma spam, exploiting the death of a football player, and offering Evite invitations. This time, they are attempting to lure users with genuine-looking email attachments that, when opened, launch them into a redirection chain that ends up on a page containing the Phoenix Exploit Kit.

The emails contain only one or two sentences and a html attachment:

When the attachment is opened, the page that is displayed looks legitimate. In fact, the spammers copied content from several different vendors and brands, including XBox 360, Bank of America, and Twitter, as shown below:

Once opened, the obfuscated JavaScript kicks in and launches the user into the redirection chain that, as mentioned earlier, takes them to a page that contains the Phoenix Exploit Kit.

Websense Security Labs™ ThreatSeeker™ Network has detected a new virus spam outbreak after Daniel Covington's death. Websense customers were proactively protected against the malicious code by our Advanced Classification Engine (ACE).

Most popular sport Web sites have reported this news: Daniel Covington, a former Louisville football player, was shot and killed after an altercation in downtown Louisville in the early hours of the morning on Sep 16, 2010.  Of course, hackers never lose their chance to extend their criminal activities and this time, Daniel Covington has been their victim.

Let's track their vicious trail. Firstly, they send thousands of spam messages with a subject of "Daniel Covington die" to attract people's attention on the Internet.

Screenshot of the email:

Be careful of the HTML attachment: don't click it, as it hides malicious obfuscated JavaScript code and the obfuscation technique has been mentioned in our previous blog.

Let's see how evil they are. If a recipient clicks the HTML file, they will be redirected to two malicious sites. One site contains rogue AV, and the other one includes a Phoenix exploit kit - a well known kit used by web attackers.

"Daniel Covington die" is not the only theme in this campaign. We have also found the virus spam in emails with these subjects:

    * America's Got Talent
    * Cops kill active shooter at Johns Hopkins Hospital
    * Church of Body Modification
    * failure notice
    * Jackie Evancho and Sarah Brightman
    * NFL Picks Week 2