September 2, 2012

Fake ‘Amazon order’ email exploits recent Java vulnerability CVE 2012-4681

Xue Yang

Following our recent blog posts regarding the propagation of Java vulnerability CVE-2012-4681 (New Java 0-day used in small number of attacks) and its subsequent inclusion in the infamous Blackhole Exploit Kit (New Java 0-day added to Blackhole Exploit Kit),  the Websense® ThreatSeeker® Network has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit.

If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data.

Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681) and Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine.

On 1st September, Websense® ThreatSeeker® Network intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:   

Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit – in this case, hxxp://atjoviygdm.dnset.com/main.php?page=8e2cf5bb67d777a4 . The Payload view below highlights the Java Archive ‘Leh.jar’ which is then used to exploit CVE-2012-4681 should the victim’s machine be vulnerable, an analysis of this file can also be found on VirusTotal.

The obfuscated JavaScript above (de-obfuscated version below) attempts to profile the visiting machine, such as determining the browser type and version as well as the Adobe Flash, Adobe Reader and Java versions, and then based onthis information selects the ‘best’ exploit to use against this particular victim.    

This email campaign further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques in order to exploit both recent software vulnerabilities and the trusting nature of end-users.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.