In light of the slew of persistent black hole spam runs, we have been tracking and investigating this threat that leads users to the black hole exploit. These attacks typically start with a spammed message containing a link to a compromised website that redirects a user’s browser to a malicious site hosting the said exploit. The payload of this threat is to install ZeuS variants onto user systems in order to steal sensitive information from users.
Trend Micro Solution for Black Hole Spam Runs
Focusing on the black hole exploit kits at the infection point when the malware begins to download may not be enough. We focus instead at the start of the attack. Because the email is where the threat starts, detection is needed at the beginning, for the phishing email is sent to lure users into clicking the URL that will ultimately lead to the site that downloads the malware.
We created a system that uses big data analysis and the power of Trend Micro™ Smart Protection Network™, for a unique view of these attacks as they occur, so solutions can be quickly created. Once the details of the attacks are correlated and mapped out, solutions are released to the cloud to protect customers via Smart Protection Network™.
Insight into Black Hole Exploit Attacks as the Attacks Occur
The initial challenge for this threat came from the compromised websites. Owners of these compromised websites need to constantly clean up the sites that get compromised. However, the compromised websites that are still vulnerable may still be used in the next attack.
In the past weeks, black hole exploit-related activities employed social engineering lures using well-known companies like LinkedIn, US Airways, Facebook, American Express, PayPal, and Careerbuilder. The messages we’re seeing are highly intelligent and well-crafted phishing messages that gain the trust of users. The format and wording of these email messages were made to look exactly the same as the legitimate messages from these companies. This is why these messages are difficult to detect using traditional methods.
One of the spam runs we investigated used the popular business-related site LinkedIn. At the beginning of this run, we identified more than 300 URLs, which were distributed across more than 100 compromised websites.
Based on our investigation, the variables in the attacks e.g. the links in the spam, are constantly changing, making the detection and take down of the related links difficult. This routine makes it challenging for spam filters to detect the related links. Also, more and more smaller botnets, which are running less traffic, are being used to circumvent detection.
Trend Micro continues to investigate these attacks to strengthen our solutions. We will be updating this story in the coming days to provide more insight into our protection strategy.