Researchers have come across various malicious emails designed to trick recipients into visiting malicious websites that host the BlackHole exploit kit.
One of the emails, purporting to be an ADP invoice reminder, looks something like this:
Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management.
To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice management account.
Total amount due by September 12, 2012.
If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.
Questions about your bill?
Contact [name] by Secure Mail.
Note: This is an automated email. Please do not reply.
Although it looks like it could be a clever phishing scam that’s designed to steal the ID and the password of unsuspecting users, in reality, the links contained in the notification point – via multiple redirects - to BlackHole pages on which a new type of obfuscation is utilized, Websense experts report
Another such email seems to originate from the victim’s Exchange server, informing them of a new voice mail. The redirection chain in this case is similar to the one from the ADP spam.
A different redirection chain, but the same outcome, has been observed in emails that thank internauts for signing up to a premium service.
Finally, experts warn of FDIC notifications that come with subjects such as “You need a new security version”, “Urgent! You must install a new security version!” or “Suspended transactions.”
One noteworthy aspect is that the BlackHole exploit kit involved in this campaign is not BlackHole 2.0
, the version launched recently. However, the upcoming campaigns will most likely involve the highly improved kit.