14 DAY TRIAL // After analyzing numerous spam campaigns that relied on the infamous Blackhole, Trend Micro experts have put together a study highlighting the most significant changes brought by the use of the exploit kit.
The paper – Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs – starts by explaining how spam runs that involve Blackhole work.
First, the potential victim receives an email containing a link to a compromised website. The hijacked site contains a script that redirects the user to a malicious page commonly referred to as the “landing page.”
Here, the exploit kit probes the victim’s system in search for unpatched vulnerabilities that can be leveraged to push the payload, in most cases represented by malware such as Cridex or ZeuS.
Researchers note that since cybercriminals have started relying on this method to obtain valuable information, the emails that trigger everything aren’t designed to induce a state of urgency.
It’s well known that spam messages that carry malware attachments or ones that redirect users to domains that host replicas of the genuine website always try to create a state of urgency. With Blackhole, it’s a different story.
The emails, purporting to come from companies such as US Airways, LinkedIn, NACHA, Facebook, Microsoft, AmEx, HP Scanjet, FedWire or Apple Store, simply point to the compromised sites with subjects such as:
- You message is ready; - Your statement is available online; - Password reset notification; - Pending Messages: There are a total of 1 messages awaiting your response. Visit your inbox now; - Incoming payment received.
So instead of appearing urgent, these messages rely on the fact that they perfectly replicate the ones sent by the genuine company.
According to the report, ZeuS is the most widely utilized piece of malware (66%), followed by Cridex (29%).