Contributor: Jeet Morparia
Over the last few weeks, there have been reports of various websites that have had their databases breached and customer data stolen by attackers through various means. A lot of the focus has been on how password dumps have been appearing online. There has always been the concern that attackers who obtain access to customer information would leverage the information in a malicious campaign.
A few days ago, MapleSoft, makers of mathematical and analytical software such as Maple, reported that they have been investigating a database breach. The breach resulted in the attackers obtaining customer information such as email addresses, first and last names, as well as company and institution names. MapleSoft states that no financial information was compromised in this breach.
Unlike previous database breaches, where password hashes were dumped onto the Web, the attackers in this breach decided to up the stakes. MapleSoft customers began to receive emails pretending to be from the “MapleSoft Security Update Team” that claimed Maple software was vulnerable to attack and a patch was available.
Links in malicious emails are often misleading. For example, they would appear to point to maplesoft.com. However, the attackers merely modify the display text, when in actuality, the real link is hosted elsewhere. Usually, these links are foreign, randomly generated domain names or sites that have been compromised and act as an intermediary, redirecting to the payload. This case was different because the attackers actually registered the maple-soft.com domain on July 17 and used it in their emails to their targets. This coincides with when MapleSoft was alerted to spam messages being sent to their customers.
On top of that, users who received the emails were reportedly addressed by their first names. This was handy because it allowed attackers to gain a level of trust with MapleSoft's customers.
A reddit user posted an example of one of the email messages they received claiming to be from MapleSoft:
Upon clicking the link, the user is taken to a page on maple-soft.com. This page will then redirect to the Blackhole exploit kit page which determines what exploit to serve to the unsuspecting user. In this particular case, the user is served up the Microsoft Windows Help And Support Center Trusted Document Whitelist Bypass Vulnerability (CVE-2010-1885).
Once the user’s system is successfully exploited by the vulnerability, two files are dropped onto the target system. These files are detected by Symantec products as Trojan.Zbot (which our behavioral engine detects as Sonar.Zbot!gen1) and Packed.Generic.367 (a heuristic detection for Trojan.ZeroAccess).
Symantec Endpoint Protection and Norton customers are protected against exploitation of vulnerabilities and drive-by downloads from exploit kits like Blackhole. The specific IPS signatures that protect against this version of Blackhole are:
- Web Attack: Blackhole Toolkit Website 2
- Web Attack: Malicious Toolkit Website 9
- Web Attack: Blackhole Exploit Kit Website 8
- Web Attack: Malicious File Download Request 10
MapleSoft has already notified its customers about the breach and given them a high level overview of the threat. At this time it is unclear how many MapleSoft customers were part of the breach and how many received these malicious spam messages.
While we have seen plenty of database breaches in recent weeks, none have resulted in a crafted campaign such as this. This just goes to show how these types of attacks have evolved from blind phishing to more sophisticated, targeted messages. Having this type of data on-hand is like having an ace up the sleeve.
We encourage users that receive notifications about patches and updates to software through email not to click on links. Instead, we recommend that users visit the actual vendor website to confirm the legitimacy of these types of notifications.