Feb11 |
11:35 pm (UTC-7) | by
Trend Micro |
2013 has seen some significant changes in the way that attackers use the Blackhole exploit kit in spam attacks. To understand what these changes are, however, let us first go into what Blackhole did in late 2012.
Last year, the majority of URLs found in Blackhole-related phishing messages had the following format:
- http://{compromised or abused site}/{eight-digit code}/index.html
For example, a spam run in November contained a link to the website at:
- http://{domain #1}/Pz1Fa7u/index.html
Users were redirected by the above link to two URLs:
- http://{domain #2}/9WFM1cgc/js.js
- http://{domain #3}/0s3FmfEC/js.js
Both of these URLs were hosted on compromised sites. While the webhosting account of domain #2 was suspended, the redundancy of using two redirection pages allowed the attack to continue. The URL at domain #3 led to the malicious landing page, which was located at:
- http://{malicious site}/links/created_danger.php
It’s not unusual for multiple redirection pages to lead to a single malicious URL. Frequently, even different spam runs will lead to the same malicious landing page.
