Prompted by the rise in numbers of spam runs leading to pages hosting exploit kits, Trend Micro researchers have recently been investigating a number of high-volume spam runs using the Blackhole exploit kit.
According to them, the phishing messages of today have far less urgency and the message is implicit: "Your statement is available online"; or "Incoming payment received", or "Password reset notification."
"In many cases these messages are identical to the legitimate messages sent by the legitimate organization," they pointed out. "Sometimes, the only difference between the legitimate version of the email and the phished version is the bad link.
The cyber criminals behind these spam runs have demonstrated a strong penchant for impersonating social networking sites (Facebook, LinkedIn, MySpace), e-payment and e-commerce companies (PayPal, eBay), airlines (US Airways, Delta Airlines), financial institutions (AmEX, Citibank, Bank of America) and logistics services companies such as FedEx, UPS, etc.
"The spam runs pose difficulties for traditional antispam methods. Content-based filters, for instance, have a problem with the attacks because these use modified versions of legitimate emails, making detection and blocking more difficult to do," say the researchers.
IP and web reputation, and email authentication have similarly failed to protect users, as botnets are in a constant flux with nodes added and removed at regular intervals, the scale of the attacks is great, and the attackers show a predilection for compromising legitimate sites to lead to the ones hosting the exploit kit.
As previously mentioned, the malicious payloads delivered through the exploit kit are mostly information stealing malware with additional backdoor capabilities: Zeus in 66 percent of the cases and Cridex in 29 percent.
The researchers have analyzed 245 spam runs leading to the Blackhole kit started in April, May and June
They have come to believe that all of these attacks were conducted by a single group or several groups acting in concert with one another, since the botnets sending out spam had a high degree of overlap from one day to the next, compromised sites were used and reused from one attack to another, and the exploit methods used in attacks were similar.