Spam Campaign Flooding Towards Blackhole Exploit Kit

Contributor: Samir Patil

In the last few months, we have seen an increase in the volume of malicious spam. The majority of these new spam emails contain links to the Blackhole Exploit Kit.

Earlier this year Symantec reported on malicious spam during tax season that lead to the Blackhole Exploit Kit. Similar attacks targeting well-known businesses occurred throughout 2012, affecting major brands in various service industries such as payroll, fax, and social media.

The emails claim to be contacting the recipient in regards to account transactions, pending notifications, company complaint reports etc.

The main purpose of these spam campaigns is to lure recipients into clicking on links contained in the emails. These links then lead to malicious code being downloaded, which exploits common vulnerabilities.

Note: Read The Blackhole Theory for more information about how this type of attack works.

Figure 1 shows the volume of Blackhole spam over the past three months. The attacks increased noticeably around September 18 and even more so in mid October. During this time, the attacks targeting social networks and payroll companies were prominent. Throughout the monitoring phase, we observed 19 companies being targeted by the spammers. Social media and payroll are the most popular industries targeted by spammers, contributing 35 and 31 percent respectively.

Figure 1. Blackhole spam volume peaking in mid-October

Figure 2. Distribution of spam through targeted service industries            

The most frequently observed subject lines in these attacks were:

  • [REMOVED] Urgent Notification
  • [REMOVED] Funding Notification
  • [REMOVED] Complaint activity report
  • Corporate [REMOVED] message - [REMOVED] pages
  • New invitation
  • Verify your account
  • Your Order
  • List of all Employer contributions scheduled on [REMOVED]

Figure 3. Spam email example claiming to be a transaction report

Figure 4. Spam email example claiming to be from a social networking site

Using a company or brand's popularity in a spam campaign is nothing new, and we have seen these industries being used in other campaigns like online pharmacy spam. The good news is that Symantec protects customers from all of these attacks with multilevel protection including Antispam, IPS, and AV.

Follow these tips to avoid spam attacks:

  • Patch your operating system and software regularly
  • Use message security and antivirus solutions from Symantec and use the latest signatures
  • Be suspicious of emails with urgent requests for personal information
  • Do not open any suspicious links or attachments received in unsolicited email