Attackers Go Phishing for Payroll Workers With Java CVE-2012-1723 Exploit

The Java CVE-2012-1723 vulnerability is suddenly the golden child of bugs. The flaw, which Oracle patched in June, has been the target of several pieces of malware and Web-based attacks of late, and now researchers say there is a phishing scam targeting payroll and HR employees that involves and exploit for the Java bug, as well.

The Java CVE-2012-1723 vulneJava phishingrability is suddenly the golden child of bugs. The flaw, which Oracle patched in June, has been the target of several pieces of malware and Web-based attacks of late, and now researchers say there is a phishing scam targeting payroll and HR employees that involves and exploit for the Java bug, as well.

Phishing schemes and targeted attacks against the people inside organizations who run payroll and other finance functions have been an ongoing problem for several years, but they may not be as well-known as some of the more general phishing scams. These attacks are designed to get the attacker’s malware onto the machine of someone who handles large amounts of money and financial transactions on a regular basis. There have been numerous examples of small businesses and local government agencies that have been targeted and lost large amounts of money through these attacks.

The latest version of this kind of attack is using a scare tactic, telling recipients of the phishing email that the certificate they use to access their ADP payroll system is about to expire and needs to be renewed. If the user clicks on the embedded link, she’ll end up on a site that’s serving up a variety of exploits, including one for the Java CVE-2012-1723 flaw. 

“Those who clicked nonetheless, have likely been ‘had’ though. The shown marottamare link redirected via three other web sites, and then ended up on 50.116.36.175, a very temporary home on what looks like a rented Linux VServer. From there, the exploits were delivered, and at least one of them, Java CVE2012-1723, is currently netting the bad guys a lot of illicit system access,” Daniel Wesemann of the SANS ISC Storm Center wrote in an analysis of the attacks. 

The URL that’s being used in the attacks is hosted at marrottamare dot it, which users can discover if they simply hover their mouse over the link in the phishing email. The link looks as if it’s hosted on an ADP site.

The beauty of this kind of attack, from the attacker’s point of view is that, as Wesemann points out, a high percentage of the people who click on the link in this email are likely to be the kind of victim that the attacker wants. Some non-payroll or HR employees likely have a vague idea what ADP is and may know that’s who handles their paychecks, but they’d probably be less likely to click on the link than a payroll employee would be.

“Hence, the odds are pretty high that someone who clicks on the link in the email is actually a HR/Payroll person. Combine the link with a nice fresh set of exploits that have near-zero detection in anti-virus, and you have a Get-Rich-Quick scheme for the crooks that’s hard to beat,” Wesemann said.

Suggested articles