Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    June 2012
    S M T W T F S
    « May   Jul »
  • Email Subscription

  • About Us

    Archive for June 14th, 2012

    We’ve been tracking and informing customers about current Black Hole Exploit Kit Spam Run activity and noted that spammers have been changing their methods to better achieve their goals. The most recent development is the aggressive turn in tactics used in these spam runs, which makes it easier for infection to occur. With the latest technique used by spammers, users only need to open the email and connection to the URL where malware downloaded is automated.

    New Techniques to Increase Probability of Infection

    These emails are different than previous spam as users are no longer required to click a URL before proceeding to a malicious website. A reliance on users to fall for social engineering schemes has been discarded in this campaign in favor of automated connection to malicious websites for infection. Once the email is opened, connection is made to a compromised website that redirects to another compromised website, and finally to the malicious website.

    The infection chain is the same as those we observed for the Twitter and Airline Ticket Black Hole Exploit Kit spam. Some of the compromised websites have been previously used and newly compromised websites are also being used. Spammers are now using iFrames and embedded JavaScript that automatically connect to malicious websites for infection. This means infection can occur if this spam is read in email clients that support HTML and allow iFrames, such as some versions of Outlook and Outlook Express. Email clients such as Hotmail and Lotus Notes 7 and 8.5 use features such as SafeHTML to prevent infection.

    Sample of Latest Turn – No Click, Automated Connection to Malicious Site

    The following is a sample of this new type of Black Hole Exploit Kit spam:

    The following is the infection chain:

    We are continuously monitoring and ensuring effective solutions for these spam runs. As we’ve pointed out in our previous post, there is a better way of handling Black Hole Exploit Kit than focusing on the infection point. In an upcoming blog post, we will discuss more about the effectiveness of our solution to this threat. Trend Micro™ Smart Protection Network™ blocks black hole exploit kit spam, detects and removes malware associated with black hole exploit kit infections, and blocks access to malicious URLs and website redirections.

    Posted in Bad Sites, Exploits, Malware, Spam | Comments Off on An Aggressive Turn of Tactics Used in Black Hole Exploit Kit Spam Runs


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice