Blackhole Exploit Kit Spam Campaigns Disguised as Top Service Brands

Spam campaigns based on the Blackhole Exploit Kit send messages that contain links to compromised legitimate websites, which serve hidden iframes and redirections that exploit vulnerabilities across operating systems–from Android to Windows. Spam themes we have seen vary rapidly and are disguised to appear as legitimate messages from familiar services. Campaigns spoofing Facebook, LinkedIn, American Airlines, and various banking services carry embedded links to malware. Spammers abuse email templates from familiar service providers by capturing automated emails, replacing links in the template with links to malware, and rebroadcasting those messages to harvested or predicted recipients.

This tactic has proven effective for spammers. Recipients are likely to click links in familiar-looking emails and often create custom whitelist entries for common sending domains without enforcing Sender Policy Framework or DomainKeys Identified Mail validation.

The Messaging Security Team at McAfee Labs has closely monitored this trend and would like to share a few common traits from recent campaigns to aid in identification:

  • Messages are disguised to appear as legitimate mails from well-known service providers
  • Subject lines are very catchy and similar to those of any service provider

Subject line examples:

  • Your Verizon wireless bill
  • Pending Wire Transfer Notification – Ref: 15192
  • TrustKeeper Network Scan Information
  • BBC-Email: USA government decided to follow Cyprus and rise deposit taxes!!!
  • [FIRSTNAME LASTNAME] left you a comment…
  • Your order # ID[Random digits] has been completed

Other features:

  • URL paths commonly end in …/random_word.html or …/random_word.php
  • Spammers recycle templates across campaigns. These emails could have embedded links to malware or attached .zip/executable files.
  • Unsubscribe links are typically missing or replaced with malicious links

Blackhole Spam Samples

Fake wire-transfer campaign:


Fake LinkedIn campaign:


Fake Facebook campaign:



You will notice all of these samples have fake .html or .php links, which are highlighted in red in the foregoing samples. These are the links carrying payloads that we need to be aware off.

The bad guys will use many techniques to deliver their spam; social engineering is a reality. Messaging Security advises caution when clicking links in emails: hover first! Employ multiple layers of defense in your environment–from email defense to web security to antimalware, and keep those definitions up to date!