14 DAY TRIAL // The old “uniform traffic ticket” scams are back and experts found that their numbers increased in an attempt to drive as many users as possible towards compromised websites that host the Phoenix Exploit Kit.
Researchers from Trustwave SpiderLabs determined that the links from the phony email lead to hijacked sites that host a malicious HTML page. An iframe that’s hidden in the page points to the Phoenix Exploit Kit.
“The reason why these spam emails don’t refer the user directly to the Exploit Kit is the high frequency the domain is changed to avoid URL filtering, while the compromised Web site doesn’t change,” SpiderLabs expert Daniel Chechik wrote.
“Moreover they specifically don’t inject the malicious IFRAME into the homepage of that compromised site, so the site owner won’t suspect that his account is being abused.”
Experts advise webmasters to check their sites for the presence of a file named edw.php, since this is the script that cybercriminals use to update the HTML page on the core server. Other malicious files used in this scheme are index-include.htm and include-index.htm.