Yesterday, we wrote about the return of Amazon spam, and how criminals behind this campaign led users to have their software exploited via the Blackhole exploit kit, especially if they’re not properly patched. At the end of that entry, we included a list of campaigns that use popular brand names that criminals bank on to make their spam appear legitimate. We’re adding one more name in that list today: Twitter.
click to enlarge
From: {spoofed Twitter email address}
Subject: Confirm your Twitter account, jimm*!
Message body:Hi, jimm*.
Please confirm your Twitter account by clicking this link:
Please click here.Once you confirm, you will have full access to Twitter and all future notifications will be sent to this email address.
The Twitter Team
——————————————–
If you received this message in error and did not sign up for a Twitter account, click not my account.Please do not reply to this message; it was sent from an unmonitored email address. This message is a service related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.
* specified name may be random
All links in the bogus Twitter confirmation email point to a Web page that appears to be a compromised account on ZENphoto, a blog and media platform that is quite similar to WordPress.
The said malicious Web page contains the following string in its URL syntax:
/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/
Users are redirected to the Russian website, saprolaunimaxim(dot)ru, where a Blackhole exploit kit is housed. This then deploys other exploits that target one- to six-year old Adobe Reader and Adobe Flash vulnerabilities, such as the following:
GFI VIPRE Antivirus users are protected from the said exploits used to take advantage of the above vulnerabilities:
- Exploit.PDF-JS.Gen (v)
- Trojan.SWF.Generic (v)
- Trojan.Win32.Generic.pak!cobra
We can’t stress this enough: Website owners must take responsibility in updating plugins and other third-party applications they use in their websites to prevent their sites from getting hacked. It is equally important that they update all software installed on their systems to prevent further exploitation and infection.
Jovi Umawing (Thanks to James for finding and analyzing this)
Leave a reply
