Blackhole Exploit Kit Spam Campaigns Disguised as Top Service BrandsSpam campaigns based on the
Blackhole Exploit Kit send messages that contain links to compromised legitimate websites, which serve hidden iframes and redirections that exploit vulnerabilities across operating systems–from Android to Windows. Spam themes we have seen vary rapidly and are disguised to appear as legitimate messages from familiar services. Campaigns spoofing Facebook, LinkedIn, American Airlines, and various banking services carry embedded links to malware. Spammers abuse email templates from familiar service providers by capturing automated emails, replacing links in the template with links to malware, and rebroadcasting those messages to harvested or predicted recipients.
This tactic has proven effective for spammers. Recipients are likely to click links in familiar-looking emails and often create custom whitelist entries for common sending domains without enforcing Sender Policy Framework or DomainKeys Identified Mail validation.
The Messaging Security Team at McAfee Labs has closely monitored this trend and would like to share a few common traits from recent campaigns to aid in identification:
• Messages are disguised to appear as legitimate mails from well-known service providers
• Subject lines are very catchy and similar to those of any service provider
Subject line examples:• Your Verizon wireless bill
• Pending Wire Transfer Notification – Ref: 15192
• TrustKeeper Network Scan Information
• BBC-Email: USA government decided to follow Cyprus and rise deposit taxes!!!
• [FIRSTNAME LASTNAME] left you a comment…
• Your order # ID[Random digits] has been completed
Other features:• URL paths commonly end in …/random_word.html or …/random_word.php
• Spammers recycle templates across campaigns. These emails could have embedded links to malware or attached .zip/executable files.
• Unsubscribe links are typically missing or replaced with malicious links
Blackhole Spam SamplesFake wire-transfer campaign:"click the image to get it larger!"Fake LinkedIn campaign:Fake Facebook campaign:You will notice all of these samples have fake .html or .php links, which are highlighted in red in the foregoing samples. These are the links carrying payloads that we need to be aware off.
The bad guys will use many techniques to deliver their spam; social engineering is a reality. Messaging Security advises caution when clicking links in emails: hover first! Employ multiple layers of defense in your environment–from email defense to web security to antimalware, and keep those definitions up to date!
NOTE! For thos how have a own mailserver this step can be as help to secure a mailserver:
Some basic step to secure a mailserver!
Orginal article: Wednesday, April 17, 2013 at 3:40pm by Paras Gupta