Fake Payroll Confirmation Email Leads to Black Hole Exploit Kit

Criminal hackers launched an attack campaign earlier this week in which they sent a slew of emails purporting to come from the financial software developer Intuit. The emails contained links that led to sites hosting the Blackhole exploit kit in an apparent attempt to infect the machines of corporate users.

Criminal hackers launched an attack campaign earlier this week in which they sent a slew of emails purporting to come from the financial software developer Intuit. The emails contained links that led to sites hosting the Blackhole exploit kit in an apparent attempt to infect the machines of corporate users.

In a Webroot analysis, Dancho Danchev explains that the two separate campaigns imitated Intuit Payroll’s direct deposit system in hopes that their recipients would follow malicious links included in the emails and thus infect themselves with the latest version of the Black Hole Exploit kit.

The exploit is serving an Adobe vulnerability from two years ago, CVE-2010-0188. A successful exploitation will load ‘MD5: 5723f92abf257101be20100e5de1cf6f’ and ‘MD5: 06c6544f554ea892e86b6c2cb6a1700c’ to its host.

The various malicious domains used in the campaign responded to the same set of IP addresses. You can find a list of the malicious URLs in Danchev’s write-up.

The first campaign’s emails looked like this and second campaign looked like this. Users that followed the malicious link were presented with a bogus loading screen that claimed they would not be able to access their QuickBooks account without an update to the Intuit Security Tool.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.