Fake ADP and FDIC Notifications Leading Users to Blackhole Exploit Kit

With the latest iteration of the Blackhole Exploit Kit hitting the web this week, attackers are going to great lengths to spread around links to get unsuspecting victims to click through to the first version of the kit.

With the latest iteration of the Blackhole Exploit Kit hitting the web this week, attackers are going to great lengths to spread around links to get unsuspecting victims to click through to the first version of the kit.

E-mail notifications claiming to come from Microsoft Exchange, ADP, the Federal Deposit Insurance Corporation and other purported “trusted sources” have been spotted this week leading web users to pages hosting the original exploit kit.

A post by Ran Mosessco, a Security Analyst at Websense on the firm’s Security Labs blog breaks down some of the deceptive emails.

A notification claiming to come from payroll services company ADP tries to trick employees into clicking through to what appears to be their Online Invoice Management account to “protect the security of [their] data.”

Elsewhere an email disguised as a voicemail notification from Microsoft Exchange Server tries to get users to double click a link to listen to a voicemail and an email that appears to come from the FDIC tries to get users to follow a link to download “a new security version.”

While all these links eventually lead to pages hosting the Blackhole Exploit Kit, Mosessco writes that it likely won’t be long until they begin directing to Blackhole 2.0. The latest version of the kit surfaced online earlier this week and was updated to remove old exploits that have already been fixed. It also came with new features that make it tricky for researchers to reverse-engineer the kit.  

Suggested articles

The Changing Face of Pseudo-Darkleech

The chameleon-like pseudo-Darkleech campaign, responsible for prolific exploit kit attacks and ransomware infections, has again made a change to its code that will frustrate researchers.

Windows Crash Reports Used to Find Zero-Day Attacks

Windows Error Reporting, or Dr. Watson, can be used to detect advanced exploits targeting organizations by fingerprinting exploit behaviors and correlating those with system or application crashes.

Discussion

  • Anonymous on

    clever

  • Anonymous on

    We received e-mails supposedly from ADP that contained no links but it did have an attached ZIP file.

  • Anonymous on

    Saw emails containing notice of ADP expired security certificate. Attachment was a zip trojan downloader.

  • Anonymous on

    Ditto on the ADP expired certificate. Seemed to be fairly targetted in our case (C level). Might be that our executives' names are on a list somewhere, might just be chance.

  • Anonymous on

    Same here for the ADP certificate, both of the people here who got it are on the ADP contact list. No one else at our company was contacted. Makes you wonder if someone has an ADP contact list.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.