« It's time to update Adobe Flash and Microsoft Windows! | Blog Home | Fix for MovableType loses ability to assign categories to entries »

Bookmark and Share

Emails spoofing Adobe order numbers have links to Blackhole Exploit Kit

December 12, 2012

Today there is a new email scam run making the rounds, spoofing an Adobe order number and download link. The links are malicious, leading to the Blackhole Exploit Kit.


The email messages in question claim to come from [email protected] But, so far, the sender's name is usually a capitalized first and sometimes also last name. This is not standard business practice and should be a dead giveaway that something is amiss. Nobody working at a major software company will spell their name with a caps!

The subjects thus-far have been: Order N(5 numbers)

The message body text begins with: "Good (day|morning),You can download your Adobe CS4 License here" - with a link around the word "here." If you read email on your computer you can hover your pointer over links to display the actual destination URL in a status bar that appears on the bottom of the email client. These poisoned links end with: /redirecting.htm - which is a commonly used page name for the Blackhole Exploit Kit. The landing page has the title: "Please wait" and the H1 heading: "Please wait a moment ... You will be forwarded... "

From that point onward, your browser is attacked with obfuscated JavaScript functions, probing for an exploitable version of Oracle Java or Adobe Flash, at the very least, and sometimes other vulnerable software. If you browse with Firefox, with the NoScript Add-on installed and active, set to its default security to disallow Java and JavaScript, unless you specifically allow it, you will not be exploited automatically. But, some attack kits also contain a manual link option that appears when people arrive with JavaScript disabled. If you are offered a manual link (on the page titled "Please wait" ... you will be forwarded) to install a "missing plug-in" (usually Java or Flash), refuse and close the page, then close the browser. Then update your security program and scan for threats that might have slipped in during the attack.

Unfortunately, many mobile phone users don't usually have this hover function that would alert them to poisoned links. You would have to be using a mobile browser or email reader that contains a hover to display function, or else pray that your device is not targeted by the exploit kit at the other end of the click.

Attack Vectors

The primary attack vector is to probe for a vulnerable version of Oracle's Java virtual machine, which according to Oracle is installed World-wide on over 3 billion devices. That means that there's a good chance it is also installed on the device you are using to send and receive your email and browse the Interwebs. I strongly advise you to check your installed software, or apps, to see if you do have Java installed. If so, it may not be the most current version, meaning it IS targeted by the Blackhole exploit kit.

Note, that sometimes a brand new vulnerability is discovered and published by black or gray hat security researchers and is quickly absorbed by cybercriminals who publish attack kits. When this happens, Oracle and other software companies targeted by exploit kits have very little time to analyze the vulnerabilities and create a patched version of the software, then release it via their update channels. Oracle in particular has been very slow to respond to "zero day exploits" targeting Java, leaving millions, or billions of devices at risk for weeks or even months at a time.

If you find that you do have Java installed, use its built in update checker to see if a newer version is available, then upgrade immediately. Otherwise, go to www.java.com and use the link labeled "Do I have Java?" to see if it is installed and if so, what version it is. If not the current version, upgrade via the link to download Java for your various affected devices. Better still, if you don't absolutely know that you need Java (most do not), uninstall it (all versions present) from your computers and smart devices.

Bookmark and Share  

Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.

Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by
Movable Type 4.38

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security and combating spam. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

We are hosted on Bluehost and couldn't be happier!

Fight website spammers