Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Sandra Cheng (Product Manager) and Jon Oliver (Senior Architecture Director)

    Phishing has fundamentally changed and its transformation was aided by the blackhole exploit kit. We’ve been blogging about persistent phishing spam runs, including the association of these spam runs with blackhole exploit kits, since earlier this year. We’ve also released a technical paper containing details of our research, which includes the unique insight we have into these events from big data analytics and Trend Micro™ Smart Protection Network™. The paper also includes details about how to effectively protect users.

    We’ve been keeping tabs on these events and it is evident that things have changed in the world of phishing. Cybercriminals are no longer relying on users to submit their personal information and they have increased the success rate of their attacks with new methods. Now, the only thing cybercriminals rely on is for users to open an email and click a link.

    Old Advice for Phishing

    Given this scenario, traditional or “old” advice about phishing are out-of-date and may no longer be enough to protect users. Some of this type of advice includes:

    • “Be suspicious of any email with urgent requests for personal financial information.”
    • “The email states that you should update your information for one reason or another, and they usually provide a link that you can click to do so.”
    • “Avoid filling out forms in email messages that ask for personal financial information”

    What has changed?

    With the advent of exploit kits, cybercriminals have bypassed the step wherein they rely on users to submit their personal information. In 2012, the major method of attack is to place malware on the user’s computer using exploits and vulnerabilities. Malware, such as ZeuS and Cridex, will silently monitor activity on the computer and look for activity such as logins to financial websites. All they need to make this happen is for a user to click a bad link in email that looks legitimate.

    The phishing messages of today have far less urgency and the message is implicit:

    • “Your statement is available online”
    • “You message is ready”
    • “Incoming payment received”
    • “Pending Messages: There are a total of 1 messages awaiting your response. Visit your inbox now”
    • “Password reset notification”

    In many cases these messages are identical to the legitimate messages sent by the legitimate organization. Sometimes, the only difference between the legitimate version of the email and the phished version is the bad link. Read our paper Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs for more information about these threats and help protect users.

    Posted in Exploits, Spam, Vulnerabilities | Comments Off on Blackhole Exploit Kit Transforms Phishing

    We’ve been tracking and informing customers about current Black Hole Exploit Kit Spam Run activity and noted that spammers have been changing their methods to better achieve their goals. The most recent development is the aggressive turn in tactics used in these spam runs, which makes it easier for infection to occur. With the latest technique used by spammers, users only need to open the email and connection to the URL where malware downloaded is automated.

    New Techniques to Increase Probability of Infection

    These emails are different than previous spam as users are no longer required to click a URL before proceeding to a malicious website. A reliance on users to fall for social engineering schemes has been discarded in this campaign in favor of automated connection to malicious websites for infection. Once the email is opened, connection is made to a compromised website that redirects to another compromised website, and finally to the malicious website.

    The infection chain is the same as those we observed for the Twitter and Airline Ticket Black Hole Exploit Kit spam. Some of the compromised websites have been previously used and newly compromised websites are also being used. Spammers are now using iFrames and embedded JavaScript that automatically connect to malicious websites for infection. This means infection can occur if this spam is read in email clients that support HTML and allow iFrames, such as some versions of Outlook and Outlook Express. Email clients such as Hotmail and Lotus Notes 7 and 8.5 use features such as SafeHTML to prevent infection.

    Sample of Latest Turn – No Click, Automated Connection to Malicious Site

    The following is a sample of this new type of Black Hole Exploit Kit spam:

    The following is the infection chain:

    We are continuously monitoring and ensuring effective solutions for these spam runs. As we’ve pointed out in our previous post, there is a better way of handling Black Hole Exploit Kit than focusing on the infection point. In an upcoming blog post, we will discuss more about the effectiveness of our solution to this threat. Trend Micro™ Smart Protection Network™ blocks black hole exploit kit spam, detects and removes malware associated with black hole exploit kit infections, and blocks access to malicious URLs and website redirections.

    Posted in Bad Sites, Exploits, Malware, Spam | Comments Off on An Aggressive Turn of Tactics Used in Black Hole Exploit Kit Spam Runs

    As a continuation of our efforts to protect customers as outlined in our previous post, this post is an update on the current Black Hole Exploit Kit spam run activity. We’ve been identifying Black Hole Exploit Kit spam runs for a while and so far, it continues to have high activity. These spam runs remain a concern for organizations spoofed by spammers, owners of compromised websites, and the number of users receiving these phishing emails. The solutions we’ve released for these spam runs with unique insight from big data analysis and the power of Trend Micro Smart Protection Network are still effectively detecting and addressing email sent by spammers.

    Changes in Black Hole Exploit Kit Spam Runs

    We’ve noticed recently that while the same strategy is still being used, the spammers have now added new legitimate organizations to spoof. Specifically, they mimic legitimate emails from these entities in spam to lure users into clicking the URL in the message. The attack starts with spam containing a link to a compromised website which redirects users to the website where malware is hosted. As mentioned, the difference is that the organizations that are spoofed in the attack have diversified.

    Recent Activity with Diversified Organizations

    The following table includes the dates of recent activity, which also includes some of the new organizations being spoofed by Black Hole Exploit Kit spammers:

    Date Organizations
    May 29 Bank of America
    May 30 PayPal
    May 31 Monster
    June 1 Century Link
    Detroit Basketball
    The HoneyBaked Ham Company
    June 3 The Federal Reserve System
    June 4 Verizon
    June 5 Amazon
    June 6 AT&T
    June 7 LinkedIn

    Sample Infection Chain

    Below is the infection chain for the Black Hole Exploit Kit spam run that spoofed Amazon, AT&T, and PayPal which is just an example of the massive spam runs our experts track and release solutions for as the attacks occur:

    As this activity continues, we will continue to track and ensure that solutions for these runs remain effective and release updated solutions as necessary. Also, we’ve mentioned in our previous post of a better way to handle the black hole exploit kit than focusing at the infection point. Since the email is the initial entry point, detecting these phishing mails is an effective way to combat this threat. We will talk more about the effectiveness of our solution in an upcoming blog post.

    Posted in Bad Sites, Malware, Spam | Comments Off on Same Operation, Diversification of Targets Being Spoofed: Current Black Hole Exploit Kit Spam Runs

    In light of the slew of persistent black hole spam runs, we have been tracking and investigating this threat that leads users to the black hole exploit. These attacks typically start with a spammed message containing a link to a compromised website that redirects a user’s browser to a malicious site hosting the said exploit. The payload of this threat is to install ZeuS variants onto user systems in order to steal sensitive information from users.

    Trend Micro Solution for Black Hole Spam Runs

    Focusing on the black hole exploit kits at the infection point when the malware begins to download may not be enough. We focus instead at the start of the attack. Because the email is where the threat starts, detection is needed at the beginning, for the phishing email is sent to lure users into clicking the URL that will ultimately lead to the site that downloads the malware.

    We created a system that uses big data analysis and the power of Trend Micro™ Smart Protection Network™, for a unique view of these attacks as they occur, so solutions can be quickly created. Once the details of the attacks are correlated and mapped out, solutions are released to the cloud to protect customers via Smart Protection Network™.

    Insight into Black Hole Exploit Attacks as the Attacks Occur

    The initial challenge for this threat came from the compromised websites. Owners of these compromised websites need to constantly clean up the sites that get compromised. However, the compromised websites that are still vulnerable may still be used in the next attack.

    In the past weeks, black hole exploit-related activities employed social engineering lures using well-known companies like LinkedIn, US Airways, Facebook, American Express, PayPal, and Careerbuilder. The messages we’re seeing are highly intelligent and well-crafted phishing messages that gain the trust of users. The format and wording of these email messages were made to look exactly the same as the legitimate messages from these companies. This is why these messages are difficult to detect using traditional methods.

    One of the spam runs we investigated used the popular business-related site LinkedIn. At the beginning of this run, we identified more than 300 URLs, which were distributed across more than 100 compromised websites.

    Read the rest of this entry »

    Posted in Botnets, Exploits, Spam | Comments Off on Protecting Customers From Black Hole Exploit Kit Spam Runs


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice