Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/13/2011
03:49 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Blackhole Crimeware Goes 'Prime Time'

New HP OfficeJet phishing emails peaked at around 36,000 per minute on Wednesday

Attackers are increasingly using the Blackhole exploit kit in phishing campaigns: Most recently, one that poses as an email notification from an HP OfficeJet Printer has sent nearly 8 million emails thus far and uses 2,000 domains to serve up the malware.

Researchers at AppRiver say the trend demonstrates how Blackhole is following the pattern of popular crimeware kit Zeus and SpyEye. Blackhole traditionally has been used to infect legitimate websites for drive-by infection purposes. "This attack is unique because Blackhole added an email vector to its format and is flooding the Internet with similar methods used by Zeus, SpyEye, and others, essentially moving it into prime time," says Fred Touchette, senior security analyst for AppRiver. The attackers also have set up their own malicious links to infect users who click on URLs in the emails.

Blackhole, which previously had been marketed as a high-end crimeware tool, costing $1,500 for a one-year license, in May was unleashed for free in some underground forums. That has propelled more use of the toolkit.

Touchette says he first noticed the trend with a Steve Jobs-themed email campaign earlier this month in the wake of Jobs' death. "This is the first that I have personally noticed that leads email recipients to Blackhole websites. Before that, people using the Blackhole Kit relied on techniques such as SEO poisoning to lead victims to their sites," he says.

The OfficeJet email campaign, like other Blackhole attacks, is trolling for victims' online banking credentials. It works a lot like Zeus and others, using browser vulnerabilities on victims' machines and creating a backdoor for downloading and installing the Trojans. AppRiver's Touchette says Blackhole appears to favor Java and Adobe bugs.

"This most recent campaign is still trickling in, but will soon stall as most of its domains have been picked up and blacklisted by security professionals. At its peak yesterday, we were seeing malicious emails related to this campaign coming in at a rate of around 36,000 per minute," he says. "Links within those emails pointed toward approximately 2,000 separate domains that were hosting malicious code."

According to AVG Software, Blackhole infections peaked in March, with more than 8 million detections. They began dropping off in June, down to 4 million.

Recent botnet takedowns have spurred an increase in malware attacks recently as botnet operators try to rebuild, AppRiver's Touchette says.

AppRiver posted a blog on the Blackhole attacks here yesterday.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22392
PUBLISHED: 2021-08-02
There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause verification bypass and directions to abnormal addresses.
CVE-2021-22396
PUBLISHED: 2021-08-02
There is a privilege escalation vulnerability in some Huawei products. Due to improper privilege management, a local attacker with common privilege may access some specific files in the affected products. Successful exploit will cause privilege escalation.Affected product versions include:eCNS280_TD...
CVE-2021-22397
PUBLISHED: 2021-08-02
There is a privilege escalation vulnerability in Huawei ManageOne 8.0.0. External parameters of some files are lack of verification when they are be called. Attackers can exploit this vulnerability by performing these files to cause privilege escalation attack. This can compromise normal service.
CVE-2021-22398
PUBLISHED: 2021-08-02
There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit after a series of operations. Affected product versions incl...
CVE-2021-22412
PUBLISHED: 2021-08-02
There is an Integer Overflow Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause random kernel address access.