Incessant Blackhole spam runs likely made by same group

A seemingly never-ending string of spam email campaigns leading to websites hosting the infamous Blackhole exploit kit are hitting inboxes around the world in waves.

The latest and most prominent ones consisted of the fake Facebook, LinkedIn, USPS and US Airways notifications, while the last one spotted masquerades as an email from employment website CareerBuilder.com saying that the recipient might find a job opening appealing.

As usual, the offered link takes the recipient through a number of redirections and finally lands him on a compromised site serving the exploit kit.

According to a recent analysis by Trend Micro researchers, these spam messages are mostly targeting US users, and are often very realistic spoofs of the companies’ original and legitimate emails. The

“We found clear evidence that all these attacks were linked. In many cases, the same sets of compromised URLs by multiple spam runs,” the researchers pointed out. “This suggests that at least some of the parties responsible for these attacks were identical, if it was not the same group altogether.”

The ultimate goal of these attacks is the same: the exploit kit is used to allow the installation of malware – predominantly Zeus Trojan variants – onto the users’ computers.