Malicious email scam "Re: Scan from a Xerox W. Pro #XXXXXXX" returns with a new face
About 6 months ago, a malicious email scam with the subject "Re: Scan from a Xerox W. Pro #XXXXXXX" went wild. This scam has returned – this time, with a new face! Instead of making you attach a .zip file, as it did in the past, it now prompts you to click a download link. You know you shouldn't click this link, right?
The Websense® ThreatSeeker® Network has detected that the download URL link is actually a malicious URL.
As shown in the screenshot below, we can see that there is an iframe in its payload. This redirects the link to a malicious site that hosts a Blackhole exploit kit. Once the iframe is loaded, content from the Blackhole exploit kit (which contains a highly obfuscated script ) site is also loaded. Upon decoding the code, we can now see that the actual code searches for vulnerable software, and uses an appropriate exploit. Successful exploitation executes a shellcode that triggers the download and execution of malware.
The kit is currently widespread and popularly used by attackers. It offers users software-as-a-service (Saas) solution, where all they need to do is simply rent the kit. The domain registration, site configuration, and setup are handled by the author group. Another really interesting aspect of this kit, that uniquely differentiates it from its competitors, is that it provides administration options for smart phones! Users do not need to install any application; it is simply a Web-based interface optimized for smart phones. Furthermore, there is an administration option for this kit to use underground audio and video scanners for malware. This lets attackers tweak their malware samples to make them undetectable prior to launching their attack live.
So far, the Websense® Triton® Hosted Security Message Center has detected more than 3,000 messages in this campaign.
Websense customers are protected against this attack with ACE, our Advanced Classification Engine.