Blackhole Toolkit Served by Spam Ahead of Tax Season

Symantec researchers came across a large number of spam messages that try to trick the recipient into clicking on a link that points to the malicious Blackhole toolkit.

Over 200 unique URLs have been identified in a series of emails that urge users to verify their accounts after some discrepancies were identified by the sender company.

The phony emails, apparently coming from a legitimate company, read:

With intent to assure that the exact information is being sustained on our systems, as well as to improve the quality of service we can provide to you; [COMPANY NAME] has participated in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or TIN, that we have on your account is different from the information on file with the Social Security Administration.

In order to verify your account, please enter the secure section.

Once the link is clicked, the user is taken to a page containing more links that point to a JavaScript file called js.js.

This file serves the Blackhole toolkit looking for various vulnerabilities on the victim’s computer, the final payload being identified as Trojan.Zbot.

The domains that contain the malicious JavaScript file are not only newly registered domains, but also legitimate domains that were hijacked by the cybercriminals that launched the campaign.

Users are advised not to click on links that come with a suspicious looking email, but also to avoid opening attachments, especially if they’re represented by exe, zip, or pdf files.

Security solutions are highly important since in most cases they can protect a machine against pieces of malware and other malicious attacks.

If by mistake you’ve already clicked on the link in such an email, be sure to run a full system scan using a reliable, updated security application.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.