An Aggressive Turn of Tactics Used in Black Hole Exploit Kit Spam Runs

We’ve been tracking and informing customers about current Black Hole Exploit Kit Spam Run activity and noted that spammers have been changing their methods to better achieve their goals. The most recent development is the aggressive turn in tactics used in these spam runs, which makes it easier for infection to occur. With the latest technique used by spammers, users only need to open the email and connection to the URL where malware downloaded is automated.

New Techniques to Increase Probability of Infection

These emails are different than previous spam as users are no longer required to click a URL before proceeding to a malicious website. A reliance on users to fall for social engineering schemes has been discarded in this campaign in favor of automated connection to malicious websites for infection. Once the email is opened, connection is made to a compromised website that redirects to another compromised website, and finally to the malicious website.

The infection chain is the same as those we observed for the Twitter and Airline Ticket Black Hole Exploit Kit spam. Some of the compromised websites have been previously used and newly compromised websites are also being used. Spammers are now using iFrames and embedded JavaScript that automatically connect to malicious websites for infection. This means infection can occur if this spam is read in email clients that support HTML and allow iFrames, such as some versions of Outlook and Outlook Express. Email clients such as Hotmail and Lotus Notes 7 and 8.5 use features such as SafeHTML to prevent infection.

Sample of Latest Turn – No Click, Automated Connection to Malicious Site

The following is a sample of this new type of Black Hole Exploit Kit spam:

The following is the infection chain:

We are continuously monitoring and ensuring effective solutions for these spam runs. As we’ve pointed out in our previous post, there is a better way of handling Black Hole Exploit Kit than focusing on the infection point. In an upcoming blog post, we will discuss more about the effectiveness of our solution to this threat. Trend Micro™ Smart Network Protection™ blocks black hole exploit kit spam, detects and removes malware associated with black hole exploit kit infections, and blocks access to malicious URLs and website redirections.

Post from: TrendLabs | Malware Blog – by Trend Micro

An Aggressive Turn of Tactics Used in Black Hole Exploit Kit Spam Runs

Read more: An Aggressive Turn of Tactics Used in Black Hole Exploit Kit Spam Runs

Story added 14. June 2012, content source with full text you can find at link above.