Fake Amex warning leads to exploit kit

A fake American Express email trying to lure users into following a malicious link by making them think that someone has reset their password for their online account has recently been spotted by NSS Labs researchers:

Unexpectedly, the offered link doesn’t lead to a phishing page, but to one hosting the Blackhole exploit kit.

“When the user arrives at the landing page, and even before they can ascertain whether or not they might be at a legitimate website, the exploit kit has already profiled their computer and determined if there are vulnerable applications to exploit,” explain the researchers. “If there are vulnerable applications, as is more often than not the case, a Trojan downloader will be installed.”

Unfortunately for many users, only a little more than half of the AV solutions used by VirusTotal detect the malware – a downloader Trojan that once safely ensconced within the machine proceeds to download password stealers and additional backdoors, some of which have a very low detection rate.

“The critical take-away for both enterprise and home users is that the Blackhole exploit kit has an easily attackable Achilles heel: patching! Fully patched machines are not vulnerable to Blackhole,” the researchers point out.

“With a patched machine, even those users who follow the link in the phishing email would come away unscathed (providing they enter no confidential information on the fake webpage, of course!) regardless of whether they use OS X, Windows, or Linux. Users with outdated versions of Adobe and Oracle products, however, don’t stand a chance.”