The Latest in IT Security

Fake ‘Amazon order’ email exploits recent Java vulnerability CVE 2012-4681

03
Sep
2012

Following our recent blog posts regarding the propagation of
Java vulnerability CVE-2012-4681 (New
Java 0-day used in small number of attacks) and its subsequent inclusion in
the infamous Blackhole Exploit Kit (New
Java 0-day added to Blackhole Exploit Kit),  the Websense®
ThreatSeeker® Network has detected a new malicious email campaign purporting to
be an order verification email from Amazon directing victims to a page
containing the recent Java exploit.

If successful, this exploit could allow the cyber-criminals
behind this campaign to deliver further malicious payloads to the victim’s
machine which, for example, could lead to the exfiltration of personal and
financial data.

Oracle have released an out-of-band patch for this Java
vulnerability (Oracle
release Java 1.7.0_07 to fix CVE-2012-4681) and Websense customers are
protected from this and other threats by ACE™, our Advanced Classification
Engine.

On 1st September, Websense® ThreatSeeker® Network
intercepted over 10,000 malicious emails with the subject ‘You Order With
Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:   

Once the victim has clicked the link, they are redirected to
an obfuscated page hosting the Blackhole
Exploit Kit – in this case, hxxp://atjoviygdm.dnset.com/main.php?page=8e2cf5bb67d777a4
. The Payload view below highlights the Java Archive ‘Leh.jar’ which is
then used to exploit CVE-2012-4681
should the victim’s machine be vulnerable, an analysis of this file can also be
found on VirusTotal.

The obfuscated JavaScript above (de-obfuscated version below) attempts to profile the visiting
machine, such as determining the browser type and version as well as the Adobe
Flash, Adobe Reader and Java versions, and then based
on this information selects the
‘best’ exploit to use against this particular victim.   

This email campaign further illustrates the ingenuity and
speed at which cyber-criminals package and propagate malicious content along
with social-engineering techniques in order to exploit both recent software
vulnerabilities and the trusting nature of end-users.

Related posts:
  1. New Java Zero-Day Vulnerability (CVE-2012-4681)
  2. Protecting yourself from CVE-2012-4681 Java exploits
  3. Oracle release Java 1.7.0_07 to fix CVE-2012-4681
  4. New spear of Black Hole exploit kit targets Java Vulnerability CVE-2012-1723
  5. New Java 0-day added to Blackhole Exploit Kit

Tags:  
Written by Websense
0 Comments

Leave a reply


Categories

FRIDAY, APRIL 26, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments