After the DigiNotar problems, spammers sent bank business clients emails informing them their certificates expired, urging them to click on a link in order to solve the issue.
Most Internet browsers and applications banned DigiNotar certificates, a fact that created confusion.
Security researchers discovered a series of emails which tried to fool unsuspecting users into thinking something is wrong with their certificates, thus making them access a website that should fix their problem.
When a user clicked on the link, a page contained an exploit kit and the system became completely compromised.
“Once the browser visits that site a series of attacks begin which can result in the download of Trojan.Buzus,” said a couple of Barracuda Networks security researchers.
In the monitoring period in which they kept a close watch on that virus, they realized besides stealing log-in information, the malware also opened a backdoor, giving hackers access to the infected device.
This Blackhole exploit kit has not seen a lot of use, the more worrying aspect being the fact the results of this campaign can be devastating, said Carl Leonard from Websense Security Labs.
He said the threat consists of a .scr file which delivers the exploits. “This is not a targeted attack in an advanced persistent threat style, but it looks like a phishing email but this is much more sinister as it delivers an exploit kit and not a standard phish.”
Blackhole seems to be one of cyber criminals’ favorite exploit kits, attacking Windows-based systems by using a PHP and a MySQL code to cause damage and steal information.
The worst thing about this piece of malware is that it’s hard to detect by anti-virus applications because it’s able to change the name of the file containing it.