Emails spoofing Adobe order numbers have links to Blackhole Exploit Kit
December 12, 2012
Today there is a new email scam run making the rounds, spoofing an Adobe order number and download link. The links are malicious, leading to the Blackhole Exploit Kit.
The email messages in question claim to come from email@example.com. But, so far, the sender's name is usually a capitalized first and sometimes also last name. This is not standard business practice and should be a dead giveaway that something is amiss. Nobody working at a major software company will spell their name with a caps!
The subjects thus-far have been: Order N(5 numbers)
The message body text begins with: "Good (day|morning),You can download your Adobe CS4 License here" - with a link around the word "here." If you read email on your computer you can hover your pointer over links to display the actual destination URL in a status bar that appears on the bottom of the email client. These poisoned links end with: /redirecting.htm - which is a commonly used page name for the Blackhole Exploit Kit. The landing page has the title: "Please wait" and the H1 heading: "Please wait a moment ... You will be forwarded... "
Unfortunately, many mobile phone users don't usually have this hover function that would alert them to poisoned links. You would have to be using a mobile browser or email reader that contains a hover to display function, or else pray that your device is not targeted by the exploit kit at the other end of the click.
The primary attack vector is to probe for a vulnerable version of Oracle's Java virtual machine, which according to Oracle is installed World-wide on over 3 billion devices. That means that there's a good chance it is also installed on the device you are using to send and receive your email and browse the Interwebs. I strongly advise you to check your installed software, or apps, to see if you do have Java installed. If so, it may not be the most current version, meaning it IS targeted by the Blackhole exploit kit.
Note, that sometimes a brand new vulnerability is discovered and published by black or gray hat security researchers and is quickly absorbed by cybercriminals who publish attack kits. When this happens, Oracle and other software companies targeted by exploit kits have very little time to analyze the vulnerabilities and create a patched version of the software, then release it via their update channels. Oracle in particular has been very slow to respond to "zero day exploits" targeting Java, leaving millions, or billions of devices at risk for weeks or even months at a time.
If you find that you do have Java installed, use its built in update checker to see if a newer version is available, then upgrade immediately. Otherwise, go to www.java.com and use the link labeled "Do I have Java?" to see if it is installed and if so, what version it is. If not the current version, upgrade via the link to download Java for your various affected devices. Better still, if you don't absolutely know that you need Java (most do not), uninstall it (all versions present) from your computers and smart devices.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.