Fake ‘Amazon order’ email exploits recent Java vulnerability CVE 2012-4681
Following our recent blog posts regarding the propagation of Java vulnerability CVE-2012-4681 (New Java 0-day used in small number of attacks) and its subsequent inclusion in the infamous Blackhole Exploit Kit (New Java 0-day added to Blackhole Exploit Kit), the Websense® ThreatSeeker® Network has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit.
If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data.
Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681) and Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine.
On 1st September, Websense® ThreatSeeker® Network intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:
Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit – in this case, hxxp://atjoviygdm.dnset.com/main.php?page=8e2cf5bb67d777a4 . The Payload view below highlights the Java Archive ‘Leh.jar’ which is then used to exploit CVE-2012-4681 should the victim’s machine be vulnerable, an analysis of this file can also be found on VirusTotal.
This email campaign further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques in order to exploit both recent software vulnerabilities and the trusting nature of end-users.