Spoofed 'Bill Me Later' email has links to 20 Blackhole exploit websites
May 16, 2012
This article is about cybercriminals taking email exploit attacks to a new level. Tonight, I processed an email scam (to SpamCop) that claimed to come from a service known as 'Bill Me Later' - detailing an online payment I was supposed to have made over the phone. Except, my name is not Dr. Mary Olsen, MD!
The message, which was carbon copied (CC) to dozens of other recipients (whose email addresses were viewable in plain text), started off with the following totally fake text:
"Thank you for making a payment over the phone! We've received your
Bill Me Later® payment of $60.12 and have
applied it to your account."
The scam goes on to list various account numbers and (fake) payment details. It was also loaded with images and clickable links (20) to view many details, including:
Manage your account, Make a payment, View statements, Account Summary, Home, Make a Payment, About Bill Me Later, Offer, Directory, View Statements, Merchant Sign Up, Store, View Account, Summary, FAQs, Register Account
and 4 image links.
What is astoundingly different about this scam is not just the unusually high number of links leading to an exploit kit, but the fact that they all led to different domains. Normally, I see one or two domains used in hostile link scams. Twenty different compromised domain links is a new record for me.
Each one of these 20 links (see compromised website list) leads to a different website, to a sub-directory (folder) containing 8 mixed case alphanumeric characters, then, /index.html. Here is one sample URL (deactivated for your safety): h**p://webprof.ro/Tv2YU8u6/index.html
The 20 domains used in this attack were all compromised by means of out-dated, or unsecured plug-ins to web software they were running, like WordPress, Joomla, the TimThumb image viewer/uploader, or some other exploitable software the Webmasters installed but failed to update.
The payload is the BlackHole Exploit Kit, which in this scam run is hosted on a compromised server belonging to Directspace Networks (AS46816), in the USA. I have notified them about the IP and file details where the exploit kit is housed. The exploit is delivered by a Russian designed Nginx web server.
The BlackHole Exploit Kit (Wikipedia article) originates and is updated in Russia. It targets vulnerable versions of Java, Flash and Adobe Reader, with Java exploits coming first. If you click on a link that redirects your browser to this exploit kit, and you have JavaScript enabled, and you have an out-dated, or unpatched version of the Java Virtual Machine installed on your computer, it will probably be taken over by the malware delivered by the BlackHole Kit. This usually means that, 1: your computer joins a botnet; 2: it becomes infected with a dangerous Trojan* that does whatever the criminals delivering it want it to do, and 3: a rootkit is installed to protect it against your trying to remove it.
Hopefully, you read this before you receive the fake Bill Me Later email message. Hovering (without clicking) over the links and clickable images will reveal the actual URLs in a status bar. Every one of the links in all of the current BlackHole scams lead to various unremarkable domain names (but not related to the domain mentioned in the email subject or body text), some with country code domain extensions, all having a forward slash, then a folder name with 8 mixed case alphanumeric characters, followed by a forward slash and a file named index.html.
If you receive this scam, delete it. Do not click on any links after hovering over them.
If you have clicked on any links in one of these scams, you need to run a scan with legitimate anti-malware programs, which are up to date. I use and recommend Trend Micro Internet Security as my anti virus program and also use a registered version of Malwarebytes Anti-Malware. To add another layer of protection, I operate from a "Standard User" account, not an Administrator account. While I could conceivably be tricked into installing a Trojan, it is much harder for a silent, drive-by exploit to hack my PC without my direct interaction.
* The Trojan delivered by the BlackHole Exploit Kit varies, from the ZeuS bank account stealer, to other sensitive information harvesters, to fake security programs, to ransomware that cripples your PC, or hides important files until you pay a ransom for an unlock code.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.