FYI...Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit
13 Sep 2012 - "Since Blackhole Exploit Kit 2.0* was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email. Websense... has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit... One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com... A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters... The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version. ADP is one the largest names in payroll services... Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":
... one of the possible redirection paths:
hxxp ://allbarswireless .com/HXwcDdQ/index.html
hxxp ://ash-polynesie .com/AjVSXvus/js.js
hxxp ://126.96.36.199 /links/ differently-trace.php ...
Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message." Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":
... redirection chain here is similar:
hxxp ://www.tryakbar .com/tLbM3r/index.html
hxxp ://sportmania .so/JP3q2538/js.js
/tfvsfios6kebvras .php?r=rs3mwhukafbiamcm ...
Another scheme thanks the user for signing up for a premium service. Subject lines include "Thank you for activating paid services":
Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:
hxxp ://www.svstk. ru/templates/beez/check.php
hxxp ://bode-sales .net/main.php?page=3c23940fb7350489
And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended. Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"
Here again, simple redirection leads to typical "/main.php?page=" type URLs.
hxxp ://kahvikuppi .org/achsec.html
hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7
Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability
13 Sep 2012 - "... fake ADP spam tries to load malware from 188.8.131.52
... After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]184.108.40.206 /links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP
just in case."
Sep 12, 2012
Sep 13, 2012