Black Hole Tool Kit Coming to Life

Wednesday, February 15, 2012 @ 05:02 PM gHale

There are a large number of spam messages circulating that try to trick the recipient into clicking on a link that points to the malicious Black Hole Tool Kit, Symantec researchers said.

Over 200 unique URLs are in a series of emails that urge users to verify their accounts after the sender company identified some discrepancies.

RELATED STORIES
Fake Analytics Leads to Black Hole
Patch Out for McAfee Vulnerability
Security Tip: Scrap Java
Java Holes Bring Quick Exploits

The phony emails appear to come from a legitimate company:
“With intent to assure that the exact information is being sustained on our systems, as well as to improve the quality of service we can provide to you; [COMPANY NAME] has participated in the Internal Revenue Service [IRS] Name and TIN Matching Program.

“We have found out, that your name and/or TIN, that we have on your account is different from the information on file with the Social Security Administration.

“In order to verify your account, please enter the secure section.”

Once the victim clicks on the link, the user goes to a page containing more links that point to a JavaScript file called js.js.

This file serves the Black Hole Tool Kit looking for various vulnerabilities on the victim’s computer, the final payload being Trojan.Zbot.

The domains that contain the malicious JavaScript file are not only newly registered domains, but also legitimate domains hijacked by the cybercriminals that launched the campaign.

Users should not to click on links that come with a suspicious looking email, but also to avoid opening attachments, especially if they are exe, zip, or pdf files.



Leave a Reply

You must be logged in to post a comment.