Email spam on September 19 was all about malware links & attachments
Sept 19, 2012
So far today I have received 14 spam email messages, which is way down from the typical two dozen or more. However, of those 14 messages, 10 contained either attachments with, or links to the BlackHole Exploit Kit. The payload for those successfully exploited was the Zeus (Game Over) banking Trojan.
Here is the breakdown of those scams, listed by the brand being spoofed:
- ADP Client Services: 4 scams
- Better Business Bureau: 2 scams
- Facebook Notifications Pending: 1 scam
- American Express Forgotten ID: 1 scam
- Your Flight Order: 2 scams
- The remaining 4 were 1 work at home scam and 3 for Russian fake pharmacies.
The malware scams rely upon two technologies commonly deployed in web browsers, to carry out their attacks. The first is JavaScript, which is normally installed and enabled to add special features and functions to websites. The second is any out-dated version of Oracle's Java Virtual Machine, which many computers have installed, often without the knowledge of their owners. If a victim opens one of these scam emails, then clicks upon their poisoned links, and they have JavaScript enabled, the exploit kit is loaded into an invisible iframe in their web browser. The kit contains long lines of obfuscated JavaScript codes and functions, ending in an "eval" statement.
If the victim also has a vulnerable version of Java installed, the exploit attack is launched with full force, downloading a hostile Java applet. This applet exploits weaknesses in the installed version of Java to jump out of a restricted area in the browser, called the Sandbox, and into the operating system files. The malware then installs a remote access Trojan (RAT), which downloads the real payload: usually the ZeuS banking Trojan.
Note: the BlackHole and other exploit kits also check for the presence of outdated, exploitable versions of Adobe Flash, Reader and Acrobat, plus vulnerable ActiveX controls and certain other now-patched Microsoft technologies. So, while you might be up to date with, or completely without Java, you could be exploited via some other unpatched software that interacts with your browser.
It is of the utmost importance that email recipients have a way to display the actual destination of a link, by hovering over it before clicking on it. Most email clients will have, or create a "status bar" on the bottom, where link URLs are displayed. This way, if a link claims to go to adp.com, but, when you hover your pointer over it the status bar tells you that it goes to a totally non-related location, you should know better than to click on that link! Email clients may be your browser, for "Webmail" systems, or a desktop application, like Windows Live Mail, or Microsoft Outlook, or Mozilla Thunderbird. Most PC based email clients have a status bar on either the main email program interface, or on the bottom of an email message that is opened for reading.
Unfortunately, the email clients that I have seen for Android and iPhone smartphones don't appear to have any status bar (at this time). Hopefully, that will change soon. I do know that the folks who created MailWasher Pro are in the final beta testing process of creating a new version for Android, Apple and Windows smartphones. MailWasher Pro reveals actual link destinations in most cases, plus it blocks spam. I'll post a dedicated article when the Mobile MailWasher app is finalized.
To protect your computers and smart devices from the likes of the BlackHole Exploit Kit, disable the Java plug-in from your web browsers, or uninstall Java completely from those devices. If you use Firefox to browse the 'Net, install the NoScript Add-on. If you prefer Google Chrome, install the ScriptNo Extension. If you browse with Microsoft's Internet Explorer or Apple's Safari browser, pray, or disable all forms of active scripting!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.