By now, it has become somewhat of a cliché to mention how cyber-criminals try to exploit the latest hot topics to lure victims to malicious content. The recent hurricane scares, however, provided an example that we found interesting. A few weeks ago, Websense Security Labs™ and the Websense ThreatSeeker® Network came across an email campaign that redirected users to Web pages downloading rogue AV via the Blackhole exploit kit.
Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.
This post examines how various vectors (email and Web) lead to Blackhole exploit kits and rogue AV, all hosted on a single IP address. It also shows how some messages from the same email campaign, as well as similar variants, lead to pharmaceutical sites related to the "Yambo Family" group of Web sites.
The malicious mail reads as follows:
As you can see, the text references hurricanes Irene and Katia, names various, random people in the text, addresses the potential victim by his or her email user name, and suggests that the reader check out a link whose domain name looks, at first glance, to be related to meteorology.
In fact, the Web site had nothing to do with the weather, but it did host a malicious page that contained this code:
The metrologyservices.com site was cleaned the next day, and the offending page was removed.
If we check out the redirection target, we see that it shares an IP address, 184.108.40.206, with a host of other domains with names that that look equally suspicious:
But it's not just the names that are suspicious. These domains are all related to Blackhole exploit kit and/or rogue AV, and we've seen them being accessed through various vectors:
- Email campaigns, as shown above and below
- SEO poisoning using compromised WordPress pages -- in fact, searching for page linked in the hurricane email leads to:
In these cases, the htaccess file has been hacked for SEO poisoning, as seen here:
If we look up the whois information for these domains, we find they were registered to one private person: ivan-sushkin[at]yandex[dot]ru.
Looking this up leads us to all sorts of interesting information about domains related to that email address, like last year's attacks against osCommerce sites:
Websense Security Labs'™ principal security researcher, Stephan Chenette, using his Fireshark tool, came across a CSS file on a popular sports fan site that was injected with malicious code also redirecting to the same IP address:
<compromised domain>/modules/mod_activitystream/style.css -> hxxp://protect-secure.ru/culture/index.php
It also alternated to other domains, like hxxp://protect-now.ru/upkeys/index.php, hxxp://yourprivacy.ru/product/index.php.
Here's an example one of our researchers, Armin Buescher, analyzed, using one of our proprietary tools:
<compromised domain>/ modules/mod_activitystream/style.css (the compromised URL)
checkprivacy.ru / refresh / index.php (redirector)
yanquihkenu.monbe.be / main.php?page=ee87d5979969cea3 (Blackhole exploit kit)
Exploits or payloads hosted on the attack server included:
yanquihkenu.monbe.be / content/worms.jar
yanquihkenu.monbe.be / content/2fdp.php?f=26
yanquihkenu.monbe.be / w.php?f=26&e=4
yanquihkenu.monbe.be / w.php?f=26&e=6
yanquihkenu.monbe.be / GWeather.class
On September 8, detection of the malware payload on VirusTotal was at 5/44:
A day later, detection climbed up to 18/44:
Another SEO poisoning example, this time just searching for the term "automobile" on Google, came up with this result at number 22:
On September 12, this site was redirecting to:
hxxp://privacy-check.ru/uptime/index.php (with the same IP address, of course 220.127.116.11).
The trending topics (email/SEO) are not the only lure the criminals try to use. Here's a later example that looks, at first, like a somewhat common "Secret Shopper" scam, suggesting you could be a Walmart evaluator:
It leads to this:
Blackhole exploit kit:
||/Device/HarddiskVolume1/Documents and Settings/victimo/Desktop/0.649734766565878.exe
||/Device/HarddiskVolume1/Documents and Settings/victimo/.exe
||/Device/HarddiskVolume1/Documents and Settings/victimo/.exe
OK, I think everyone gets the idea. Whether it's topical emails or SEO poisoning, you are going to get served with something unpleasant from "Ivan Sushkin."
But wait! There's more!
Let's go back to the hurricane scares for a minute. There are more of the same type of hurricane emails, sent at the same time, but with different links. These lead to pharmaceutical spam pages, like "US Drugs" (shown below):
And you think we'll leave you with that? No chance!
A few days later, what better topic to exploit than Labor Day. This time, it's with a little adult-themed lure, leading to Canadian Health & Care Mall and US Drugs. Notice how the email body also has random people's names, in an effort to give more credibility to the text:
For further reading about these two "distinguished" pharmaceutical establishments, see these entries in the spamtrackers.eu Wiki:
Canadian Health & Care Mall
What we see is that the use of hot topics to attract victims to cyber-criminals' sites is widespread and varied. It can be to exploit their computer, scare them into paying for rogue AV, and/or serve them a spam page (with all the monetary gain to the criminals that comes with the affiliate programs). We can also see how the various vectors are flexible enough to be used for spam or malicious purposes. At the same time, we get an underlying feeling that "the more things change, the more they stay the same." It was quite amusing for us to see how various, unrelated topics from different vectors all led to the same IP address, with domains all registered to the same name. But for a real user, replace the term "amusing" with frustrating, risky, or expensive. There's no guarantee that the victim will "just" get a pharmaceutical spam message, as it is quite common for redirection targets to change between malicious pages hosting exploit kits and more benign spam.
Besides the protection that Websense Email Security and Websense Web Security products offer, we can never emphasize enough how careful users should be when following any link related to current events, even if it seems to come from a known source. Of course, in this case, it's a good idea to block access to this particular IP address, but rest assured that the same gang will have other domains registered to other IP addresses. This is where the real-time protection of ACE, our Advanced Classification Engine, comes into play.