The use of exploit kits changed spam runs
Posted on 12 July 2012.
Spammers used to depend on email recipients to tie the noose around their own necks by inputing their personal and financial information in credible spoofs of legitimate websites, but with the advent of exploit kits, that technique is slowly getting sidelined.


Prompted by the rise in numbers of spam runs leading to pages hosting exploit kits, Trend Micro researchers have recently been investigating a number of high-volume spam runs using the Blackhole exploit kit.

According to them, the phishing messages of today have far less urgency and the message is implicit: "Your statement is available online"; or "Incoming payment received", or "Password reset notification."

"In many cases these messages are identical to the legitimate messages sent by the legitimate organization," they pointed out. "Sometimes, the only difference between the legitimate version of the email and the phished version is the bad link.

The cyber criminals behind these spam runs have demonstrated a strong penchant for impersonating social networking sites (Facebook, LinkedIn, MySpace), e-payment and e-commerce companies (PayPal, eBay), airlines (US Airways, Delta Airlines), financial institutions (AmEX, Citibank, Bank of America) and logistics services companies such as FedEx, UPS, etc.

"The spam runs pose difficulties for traditional antispam methods. Content-based filters, for instance, have a problem with the attacks because these use modified versions of legitimate emails, making detection and blocking more difficult to do," say the researchers.

IP and web reputation, and email authentication have similarly failed to protect users, as botnets are in a constant flux with nodes added and removed at regular intervals, the scale of the attacks is great, and the attackers show a predilection for compromising legitimate sites to lead to the ones hosting the exploit kit.

As previously mentioned, the malicious payloads delivered through the exploit kit are mostly information stealing malware with additional backdoor capabilities: Zeus in 66 percent of the cases and Cridex in 29 percent.

The researchers have analyzed 245 spam runs leading to the Blackhole kit started in April, May and June

They have come to believe that all of these attacks were conducted by a single group or several groups acting in concert with one another, since the botnets sending out spam had a high degree of overlap from one day to the next, compromised sites were used and reused from one attack to another, and the exploit methods used in attacks were similar.






Spotlight

The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //