Blackhole Exploit Kit Used in Conjunction with Spam EmailsWritten by Malcolm James on July 17, 2012
Uh-oh. Welcome to my lair, said the spider to the fly. And we all know how that worked out: spider meets fly, fly gets busy with spider, spider eats fly. Ick. And if you haven’t been following the most recent exploits of those intrepid spammers – you know the ones, the ones who annoy, invade, attempt to steal and generally bug the hell out of us – then be prepared to say double ick.
This week, several media outlets are reporting a change in the way spammers do their, uhm, business, and if the reports are true, it looks like the scam artists are easing up on those predictably bad appeals aimed at only the most vulnerable among us. Typically, your average spammer relies on the stupidity and/or ignorance of the recipient, requiring the person reading the mail to pry open the mouth of the lion and stick his head in. Usually based on a theme requiring some urgency, these emails attempt to scare the user into thinking that the tax man is about to seize his house, shut down his PayPal account, or permanently block him from purchasing fake Viagra. It’s a scheme that fails to snare most of us, but when someone does get fooled by these messages, the results can be disastrous.
Fortunately, most of us have been able to rest easy in the knowledge that these things can be spotted by a blind man from a mile away. Poor grammar, egregious misspelling and suspicious-looking pages that clearly don’t belong to the pretended institution; all clear giveaways that can be easily spotted by spam filters and dumped in the trash. Now, however, the buzz on the street is unsettling and a little creepy, if you stop to think about the implications.
According to Help Net Security, the most popular use of Blackhole is the impersonation of “social networking sites (Facebook, LinkedIn, MySpace), e-payment and e-commerce companies (PayPal, eBay), airlines (US Airways, Delta Airlines), financial institutions (AmEX, Citibank, Bank of America) and logistics services companies such as FedEx, UPS, etc.”
Unlike ‘traditional’ spam emails, which often convey a sense of urgency, recent spam methods are looser, according to the same article:
“The phishing messages of today have far less urgency and the message is implicit: ‘Your statement is available online’; or ‘Incoming payment received’, or ‘Password reset notification.’”
The implication, of course, is that users may be lulled into a false sense of security by something that doesn’t threaten unreasonable earth-shattering consequences if the user doesn’t act immediately.
According to the researchers, this new use of email spam creates:
“difficulties for traditional antispam methods. Content-based filters, for instance, have a problem with the attacks because these use modified versions of legitimate emails, making detection and blocking more difficult to do.”
This newer, looser approach to spam email, combined with links to Blackole infested sites, ups the ante for IT professionals, since users need to be aware that just because a spam email looks more legitimate – say, than one which uses poor writing and bad grammar – it’s no safer to click on links in emails that purport to be from a financial institution, or a social media site for which they happen to have an active account. Humans are creatures of habit, and if they happen to read an email that looks exactly like a legitimate email that they may have received in the past, they’re more apt to click the link without a second thought.
As always, user education is paramount. If you’re holding an information session with your staff, fabricate an email from a legitimate site, swapping out the link for something else. Show them how a link can say one thing but be something totally different, using simple techniques like hovering over the link to see its true nature. And, as always, tell them to stop and think about what they’re doing before they click.