September 13, 2012

Voice Mail Notifications and ADP Emails Lead to Blackhole Exploit Kit

Ran Mosessco Principal Security Researcher

Since Blackhole Exploit Kit 2.0 was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email. 

Websense® ThreatSeeker® Network has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit. Some of the themes were new to us and some familiar.

One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com. Like other malicious social engineering campaigns, these email campaigns try to lure victims to click links that ultimately lead to pages hostingBlackhole Exploit Kit. A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version.

ADP is one the largest names in payroll services, so it's no surprise that a spoofed ADP notification email is used as a lure.

Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":

Let's follow one of the possible redirection paths:


Please refer to our previous blog post to learn more about the landing page.

Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message."

 Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":

The redirection chain here is similar:


The landing page shows similar content to the previous example. See here.

Another scheme thanks the user for signing up for a premium service.

Subject lines include "Thank you for activating paid services":


Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:


And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended.

Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"

Here again, simple redirection leads to typical "/main.php?page=" type URLs.


Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability.


Ran Mosessco

Principal Security Researcher

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.