Blackhole Exploit Kit Used in Conjunction with Spam Emails

Uh-oh. Welcome to my lair, said the spider to the fly. And we all know how that worked out: spider meets fly, fly gets busy with spider, spider eats fly. Ick. And if you haven’t been following the most recent exploits of those intrepid spammers – you know the ones, the ones who annoy, invade, attempt to steal and generally bug the hell out of us – then be prepared to say double ick.

This week, several media outlets are reporting a change in the way spammers do their, uhm, business, and  if the reports are true, it looks like the scam artists are easing up on those predictably bad appeals aimed at only the most vulnerable among us. Typically, your average spammer relies on the stupidity and/or ignorance of the recipient, requiring the person reading the mail to pry open the mouth of the lion and stick his head in. Usually based on a theme requiring some urgency, these emails attempt to scare the user into thinking that the tax man is about to seize his house, shut down his PayPal account, or permanently block him from purchasing fake Viagra. It’s a scheme that fails to snare most of us, but when someone does get fooled by these messages, the results can be disastrous.

Fortunately, most of us have been able to rest easy in the knowledge that these things can be spotted by a blind man from a mile away. Poor grammar, egregious misspelling and suspicious-looking pages that clearly don’t belong to the pretended institution; all clear giveaways that can be easily spotted by spam filters and dumped in the trash. Now, however, the buzz on the street is unsettling and a little creepy, if you stop to think about the implications.

Researchers are saying that the Blackhole exploit kit, purported to be the most popular web threat in terms of usage, is being used in conjunction with smarter and more believable spam emails to douse any unfortunate user who clicks a link with a tidal wave of harsh reality. Blackhole, developed in Russia and licensed out to any enterprising young scammer who wishes to purchase it, is based on PHP and MySQL and uses malicious links fueled by JavaScript to identify and take advantage of security flaws on the target computer. Blackhole appeared in 2010 and sells for $1,500 for an annual license. To date, the most successful Blackhole exploit is said to be a hack of the US Postal Service’s Rapid Information Bulletin Board System (RIBBS) in April 2011.

According to Help Net Security, the most popular use of Blackhole is the impersonation of “social networking sites (Facebook, LinkedIn, MySpace), e-payment and e-commerce companies (PayPal, eBay), airlines (US Airways, Delta Airlines), financial institutions (AmEX, Citibank, Bank of America) and logistics services companies such as FedEx, UPS, etc.”

Unlike ‘traditional’ spam emails, which often convey a sense of urgency, recent spam methods are looser, according to the same article:

“The phishing messages of today have far less urgency and the message is implicit: ‘Your statement is available online’; or ‘Incoming payment received’, or ‘Password reset notification.’”

The implication, of course, is that users may be lulled into a false sense of security by something that doesn’t threaten unreasonable earth-shattering consequences  if the user doesn’t act immediately.

According to the researchers, this new use of email spam creates:

“difficulties for traditional antispam methods. Content-based filters, for instance, have a problem with the attacks because these use modified versions of legitimate emails, making detection and blocking more difficult to do.”

This newer, looser approach to spam email, combined with links to Blackole infested sites, ups the ante for IT professionals, since users need to be aware that just because a spam email looks more legitimate – say, than one which uses poor writing and bad grammar – it’s no safer to click on links in emails that purport to be from a financial institution, or a social media site for which they happen to have an active account. Humans are creatures of habit, and if they happen to read an email that looks exactly like a legitimate email that they may have received in the past, they’re more apt to click the link without a second thought.

As always, user education is paramount. If you’re holding an information session with your staff, fabricate an email from a legitimate site, swapping out the link for something else. Show them how a link can say one thing but be something totally different, using simple techniques like hovering over the link to see its true nature. And, as always, tell them to stop and think about what they’re doing before they click.

Written by Malcolm James


  1. Tom Smithson · July 23, 2012

    Sneaky, sneaky. But that’s how they are, those spammers. Admittedly, almost anyone can be fooled. I would admit that if I have not read this entry, I would have fallen prey, too. But if the grammar really is embarrassing, of course, I wouldn’t fall into that trap.

    Makes you want to think twice and read through emails judiciously before clicking on any link.

    Regardless of content, it is always safer, albeit, less convenient to just search for a company’s site rather than click on any link.

    Instead of teaching your employees on how to be discerning with the emails they received, which can really take a while, teach people that technique. Never click on a link in an email or message, just search or go directly to a company’s site.

Leave A Reply