More BlackHole Exploit Kit attacks spoofing LinkedIn, UPS, USPS
July 18, 2012
After a week where spam for pharmaceuticals, fake diplomas and replica watches dominated inboxes and junk folders, malware scams have resumed with a vengeance. These are spam email messages that either contain malware in an attached zip file, or a link to a malware server.
The recent email malware scams I saw, over the last 7 days, are spoofing the following brands or senders with these subjects:
UPS: "UPS Tracking Number H8087145257" - "UPS Tracking Number H1284336147"
UPS and USPS together: "Your Tracking Number H6497226598"
Sprint: "Your Sprint bill is now available online"
LinkedIn: "Join My Network on LinkedIn"
US Air: "Fwd: Your Flight US 896-119520"
Bank Account Operator: "Fwd: Wire Transfer Confirmation (FED_2732L45075)"
LiveJournal.com (UPS spoof): "Your Tracking Number H6302300603"
Post Express: "Delivery status is required urgent confirmation"
LinkedIn (UPS and USPS): "United Postal Service Tracking Nr. H9486128170"
Customer Support ups: "UPS Tracking Number H7383353854"
Habbo Hotel: "UPS: Your Package H4869590295"
As you can see, scams spoofing UPS and the USPS are the most common at this time. All of the above scams either contain malware exploit codes in an attachment (e.g. "MYUPS_N230250.zip"), or at the end of a redirected link to a BlackHole Exploit Kit server. Both methods use JavaScript codes to probe your web browser or email client for vulnerabilities, or exploitable plug-ins/extensions, or basic components. The ones being targeted the most this week are: Windows Help Center URL Validation Vulnerability, which was patched on July 13, 2010, as well as numerous vulnerabilities in the Java Virtual Machine, all of which have been patched by Oracle Java updates, plus the Microsoft XML Core Services Vulnerability just patched on July 10, 2012. Finally, some versions of the BlackHole Exploit Kit also probe for a vulnerable and exploitable version of Adobe's Reader. Acrobat and Flash software. Previous versions also sought to exploit Adobe Shockwave and Air.
Let's analyze one of the LinkedIn malware scams I received just today.
Email scam spoofing a LinkedIn invitation:
Subject: Join my network on LinkedIn
From: LinkedIn <[email protected]>
Body text come-ons:
Keeley Holbrook has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn
- Keeley Holbrook
Accept (link)
View invitation from Keeley Holbrook (link)
Examining this email with the source code displayed is the safest way to see the fact that the sender is spoofed and any links are hostile. Starting with the top-most Received from line, instead of seeing a linkedin.com server, we find this:
Received: from [201.230.150.182] (port=21901 helo=client-201.230.150.182.speedy.net.pe)
Which is a customer of an ISP named Speedy.net, in Peru.
Also, the Return Path doesn't go to linkedin.com either. Rather, it goes to: [email protected]
While each and every image is pulled from LinkedIn (by using img src codes to LinkedIn.com), the critical links go elsewhere. We can also detect this by hovering over the links with our pointer, but not clicking. Most actual web browsers, or email clients, will display the actual destination URL in a status bar on the bottom, as you hover over a clickable link. Android users can now download a brand new Firefox mobile browser that will display the URL in a status bar that appears when needed. Using the built-in Android browsers and email readers leaves most users blind to actual link URLs.
In this case, the links surrounding the words "Accept" and "View invitation from Keeley Holbrook" open your web browser to (deactivated for your safety): h**p://www.falkirk.scotpool.net/cvdym.htm
, where the BlackHole Exploit code lies in wait. The web page is on a server belonging to: server55.donhost.co.uk, who have yet to act on complaints filed via SpamCop.
The script on the landing page tricks victims with this large bold (H1) text: "Please wait a moment. You will be forwarded..." In the background a huge string of obscured JavaScript code probes your browser for various unpatched software and plug-ins, such as Oracle's Java, Windows Help Center, Adobe Flash, Windows XML Core Services, and more. If your browser is running any of the vulnerable versions of the targeted software, add-ons or plug-ins, the exploit will launch an installer in the background. In order to fool you, should a UAC Administrator permission prompt be anticipated, the program will lie about what is being installed.
Make it a point to be aware of what add-ons, extensions, plug-ins, toolbars and helper objects are incorporated into all of your web browsers. It is your job to secure your computers. You should especially be aware if you have Java installed. If so, make sure it is fully up to date, at www.java.com. Java is the #1 exploited browser plug-in in the World. Always set your Windows PC to automatically receive and install "Recommended" Windows Updates, which are usually released on the second Tuesday of every month (but sometimes on other days, when required to halt a 0-day exploit in progress). If you have Adobe Flash, Reader, Acrobat, or Shockwave plug-ins, set them for automatic checking for and installing of updates. Set the check for schedule to every day, sometime in the afternoon, when the computer is normally powered on.
If you have any old versions of Java on your computer, uninstall them. Malware is sometimes written to look for these previous versions, by their default installation path, then launch them by name, with hostile .jar files downloaded from malware servers.
Make sure you have legitimate anti-malware protection installed and running a real time module to scan files as they are downloaded and opened. Back that up with a modern anti-virus and anti-spyware program that uses definitions in the cloud. Make sure you have a firewall operating.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.