The Latest in IT Security

Amazon Spam is Back, Blackhole Exploit in Tow

12
Jun
2012

Recently, we’ve seen an Amazon spam in the wild that looks like this:

click to enlarge

The sender’s name was deliberately called “Amazon.com” to make the spam appear legitimate. What gives away this particular spam, however, is that this sends to multiple recipients even if the email is meant for an individual.

All links in the email body, apart from the linked email address, lead users to the same HTML page that are hosted on various legitimate but compromised WordPress domains. Their URLs contain the following section in their syntax:

/wp-content/themes/twentyten/zone(dot)html

For this particular spam sample, the following URLs were used:

  • thebrandstand(dot)co(dot)uk/wp-content/themes/twentyten/zone(dot)html
  • unknowncoatings(dot)com/wp-content/themes/twentyten/zone(dot)html
  • constructionshco(dot)com/wp-content/themes/twentyten/zone(dot)html
  • latinamericanrestaurantmiami.com/wp-content/themes/twentyten/zone(dot)html
  • sermacho(dot)com/wp-content/themes/twentyten/zone(dot)html
  • thecubsfan(dot)com/wp-content/themes/twentyten/zone(dot)html
  • cutterssupplyinc(dot)com/wp-content/themes/twentyten/zone(dot)html

Of course, the group or person behind this spam campaign is capable of changing the URLs where the spam links point to.

Once user click any of the visible links, they are directed to this page:

click to enlarge

click to enlarge

If JavaScript (JS) is, by default, disabled on the user’s browser, the browser will prompt them to allow the program to run in the background. If enabled, the hidden and obfuscated iframe code is executed without a problem. This code directs users to adnroidsoft(dot)net/main(dot)php?page=017f3bb5c2be6a41, a Web page that contains Blackhole exploit code.

This particular exploit does the following:

  1. Checks for the presence of Adobe Reader and Adobe Flash on the user’s system
  2. Loads a Java applet hosted on the aforementioned (dot)net domain if either Reader or Flash are found on the system
  3. Redirects to certain Web pages within the said domain, which are used to house specially-crafted PDF exploit files depending on what version of the Adobe Reader program is installed on the system
  4. Deploys two exploits to target these vulnerabilities:
    • CVE-2010-1885, a two-year old bug that targets the vulnerability in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003, allowing attackers to bypass already trusted (whitelisted) online documentation for Windows
    • CVE-2011-0611, a one-year old bug that targets the vulnerability in Adobe Flash Player, Adobe Reader and Acrobat, allowing attacks to crash applications and take control of the compromised system

Unless you’re the kind of user who does not regularly apply patches to all software installed on your system, most especially those from Adobe, then consider yourself lucky and safe from this attack.

GFI VIPRE detects the main malicious HTML file (zone. html) as Malware.JS.Generic (JS).

We’ve seen something like this happen not so long ago; unfortunately, we’re still seeing it happening. I dread to think that this will go on unless website owners-particularly, WordPress owners-find the time to (1) protect their sites by regularly applying plugins and theme updates to their pages, (2) ensure that their password is not easily guessed by anyone, and (3) periodically check their website logs for any anomalies related to site access and traffic.

For those of us who regularly use email, I have below a list of recent spam campaigns found by the Labs and various security researchers that also lead to Blackhole exploit. I think that putting them down here as reference can help you, dear Reader, familiarize yourself with the kind of tactics these online criminals pull to dupe Internet users into clicking links in bogus mails and getting their systems compromised:

Hopefully after this, we’d be a lot sharper and quicker in spotting mails we need to steer clear from.

Stay informed. Stay safe!

Jovi Umawing (Thanks to Jesmond, Jong, and Adam; James for the analysis)

Leave a reply


Categories

TUESDAY, SEPTEMBER 18, 2018

Featured

Archives

Latest Comments

Social Networks