My spam honeypots yesterday yielded a nice example of a spam attack being used to lure people to servers hosting the infamous Blackhole exploit kit, which we've blogged about several times in the last six months or so.
The spam arrived the evening before. Here's how it looked:
Clicking on one of the links took me to a hacked site, with the following message:
This, of course, is simple camouflage, to distract me while my browser is given further instructions. Under the hood, the HTML looks like this:
I retrieved the first of the js.js files, which is extremely simple, just one line of script:
This IP hosts the Blackhole kit, and had already been flagged as a malware source in our database by one of our analysts when I checked, along with a sibling site that I found via following a different link. (Good to know that the team is on task!)
Leave a reply