Attacks/Breaches
10/14/2011
11:09 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Blackhole Crimeware Goes 'Prime Time'

New HP OfficeJet phishing emails peaked at around 36,000 per minute on Wednesday.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Attackers are increasingly using the Blackhole exploit kit in phishing campaigns: Most recently, one that poses as an email notification from an HP OfficeJet Printer has sent nearly 8 million emails thus far and uses 2,000 domains to serve up the malware.

Researchers at AppRiver say the trend demonstrates how Blackhole is following the pattern of popular crimeware kit Zeus and SpyEye. Blackhole traditionally has been used to infect legitimate websites for drive-by infection purposes. "This attack is unique because Blackhole added an email vector to its format and is flooding the Internet with similar methods used by Zeus, SpyEye, and others, essentially moving it into prime time," said Fred Touchette, senior security analyst for AppRiver. The attackers also have set up their own malicious links to infect users who click on URLs in the emails.

Blackhole, which previously had been marketed as a high-end crimeware tool, costing $1,500 for a one-year license, in May was unleashed for free in some underground forums. That has propelled more use of the toolkit.

Touchette said he first noticed the trend with a Steve Jobs-themed email campaign earlier this month in the wake of Jobs' death. "This is the first that I have personally noticed that leads email recipients to Blackhole websites. Before that, people using the Blackhole Kit relied on techniques such as SEO poisoning to lead victims to their sites," he said.

The OfficeJet email campaign, like other Blackhole attacks, is trolling for victims' online banking credentials. It works a lot like Zeus and others, using browser vulnerabilities on victims' machines and creating a backdoor for downloading and installing the Trojans. AppRiver's Touchette said Blackhole appears to favor Java and Adobe bugs.

"This most recent campaign is still trickling in, but will soon stall as most of its domains have been picked up and blacklisted by security professionals. At its peak yesterday, we were seeing malicious emails related to this campaign coming in at a rate of around 36,000 per minute," he said. "Links within those emails pointed toward approximately 2,000 separate domains that were hosting malicious code."

Read the rest of this article on Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web