• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Persistent Black Hole Spam Runs Underway

Persistent Black Hole Spam Runs Underway

  • Posted on:April 30, 2012 at 9:06 am
  • Posted in:Bad Sites, Malware, Spam
  • Author:
    Jon Oliver (Senior Architect)
0

Over the past month we’ve been investigating several high-volume spam runs that sent users to websites compromised with the Black Hole exploit kit. Some of the spam runs that were part of this investigation used the name of Facebook, and US Airways. Other spam runs involved LinkedIn, as well as USPS. The most recent campaign we’ve seen that was part of this wave of attacks used the name of CareerBuilder:

We’ll look at the campaign that used Facebook specifically, but our conclusions about these each of these attacks are broadly similar:

  • Phishing messages using the names of various organizations spread via email to targets predominantly in the United States. The content of these phishing e-mails were practically indistinguishable from legitimate messages.
  • Links in these messages led to multiple compromised websites that redirected the user to various malicious sites. Collectively, these compromised sites numbered in the thousands.
  • Users were eventually directed to sites containing the Black Hole exploit kit.

Now, let’s discuss the spam attack that used Facebook as the lure. This particular spam run consists of a fake friend request sent to the victim, as can be seen below:

The link goes to various compromised web sites. We have identified more than 2,000 distinct URLs used in this attack, distributed over 374 domains. On average, each compromised domain hosted 5 separate malicious landing pages.

As we mentioned earlier, this particular campaign was not the only spam run we investigated. We found clear evidence that all these attacks were linked. In many cases, the same sets of compromised URLs were used by multiple spam runs. This suggests that at least some of the parties responsible for these attacks were identical, if it was not the same group altogether.

The scale of each individual attack is not particularly high as far as spam attacks go. The largest of these attacks were those that used US Airways, which peaked at approximately 1% of all email sent, based on data from Trend Micro product feedback. However, due to their persistence they still pose a serious threat to users.

The goal of these attacks is to install ZeuS variants onto user systems, in order to steal the information of users. We are continuously monitoring for new threats related to these particular threats, and taking all steps to protect Trend Micro users and customers.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Black HoleCareerBuildercompromised sitesFacebookSpamUS AirwaysUSPS

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.