Spam looking like a very convincing email message from either LinkedIn, Facebook, ADP, American Express, US Airways, the U.S. Postal Service, UPS, and several other high-profile organizations are all part of a single, orchestrated attack campaign using the Blackhole exploit kit and aimed at stealing victims’ online financial credentials.
There are multiple common threads that tie the spam messages together as one effort by one cyber criminal group, or multiple groups working together, said researchers at Trend Micro.
“It’s one operation probably run by two to three individuals very focused on the theft of financial credentials,” and likely out of Eastern Europe, said Tom Kellermann, vice president of cyber security at Trend Micro. The attackers are using mostly Zeus and Cridex malware variants in the attacks via the Blackhole Exploit Kit.
The attackers blended phishing, spear-phishing, drive-by downloads, and traffic redirection all into one attack. In addition, the attackers have done their homework on victims, targeting groups that have trusted relationships with specific organizations, he said.
Other brands they are spoofing are Microsoft, Bank of America, AT&T, Citibank, Wells Fargo, Intuit, PayPal, the Apple Store, FedEx, HP ScanJet, CareerBuilder, Verizon, NACHA, Delta Airlines, FedWire, and CenturyLink. Trend Micro closely tracked the spam runs between April and June and was able to determine some key links among the seemingly separate spam runs.
In an attack, the user receives the fraudulent but convincing-looking email, and if he or she visits an embedded link in the message, then the victim ends up directed to a known and legitimate website the attackers compromised. A page there redirects the user to a malicious website or the landing page. There the malware scans the user’s machine for potential vulnerabilities and, when found, all bets are off as the machine suffers an infection with the information-stealing malware.
Among the common characteristics the spam contained the same botnets and, in many cases, the criminals used the same IP address in the exploit kits on different days and compromised websites ended up reused in several attacks.