The Latest in IT Security

Protecting Customers From Black Hole Exploit Kit Spam Runs

11
May
2012

In light of the slew of persistent black hole spam runs, we have been tracking and investigating this threat that leads users to the black hole exploit. These attacks typically start with a spammed message containing a link to a compromised website that redirects a user’s browser to a malicious site hosting the said exploit. The payload of this threat is to install ZeuS variants onto user systems in order to steal sensitive information from users.

Trend Micro Solution for Black Hole Spam Runs

Focusing on the black hole exploit kits at the infection point when the malware begins to download may not be enough. We focus instead at the start of the attack. Because the email is where the threat starts, detection is needed at the beginning, for the phishing email is sent to lure users into clicking the URL that will ultimately lead to the site that downloads the malware.

We created a system that uses big data analysis and the power of Trend MicroT Smart Protection NetworkT, for a unique view of these attacks as they occur, so solutions can be quickly created. Once the details of the attacks are correlated and mapped out, solutions are released to the cloud to protect customers via Smart Protection NetworkT.

Insight into Black Hole Exploit Attacks as the Attacks Occur

The initial challenge for this threat came from the compromised websites. Owners of these compromised websites need to constantly clean up the sites that get compromised. However, the compromised websites that are still vulnerable may still be used in the next attack.

In the past weeks, black hole exploit-related activities employed social engineering lures using well-known companies like LinkedIn, US, Airways, Facebook, American Express, PayPal, and Careerbuilder. The messages we’re seeing are highly intelligent and well-crafted phishing messages that gain the trust of users. The format and wording of these email messages were made to look exactly the same as the legitimate messages from these companies. This is why these messages are difficult to detect using traditional methods.

One of the spam runs we investigated used the popular business-related site LinkedIn. At the beginning of this run, we identified more than 300 URLs, which were distributed across more than 100 compromised websites.

Based on our investigation, the variables in the attacks e.g. the links in the spam, are constantly changing, making the detection and take down of the related links difficult. This routine makes it challenging for spam filters to detect the related links. Also, more and more smaller botnets, which are running less traffic, are being used to circumvent detection.

Trend Micro continues to investigate these attacks to strengthen our solutions. We will be updating this story in the coming days to provide more insight into our protection strategy.

Related posts:
  1. Persistent Black Hole Spam Runs Underway
  2. Black Hole Exploits Kit 1.1.0 Inside
  3. Blackhole Exploit Hones in on Amazon Users
  4. Compromised WordPress sites Drive Users to Blackhole Exploit Kit
  5. Blackhole Exploit + Rogue AV capitalizes on Steve Jobs’ passing

Tags:  
Written by TrendLabs
0 Comments

Leave a reply


Categories

SATURDAY, FEBRUARY 22, 2025
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments