Everyone loves babies, especially magical royal ones who are destined to pull a sword from a stone. As it turns out, the baby admiring demographic also includes spammers, who are using the current frenzy over the birth of Prince William and Duchess Kate’s baby boy to direct victims to a site serving the Black Hole exploit kit.
A spam run that began in the last couple of days as the Duchess of Windsor, Kate Middleton, went into labor has sent huge amounts of junk messages to recipients around the world. The messages contain a link that points victims to a site claiming to offer a live feed of the news concerning the baby. The site has a link to a second site which is hosting the Black Hole exploit kit. That first site appears to have been cleaned already, so the link to the malicious site is gone.
However, researchers have found that there are still three URLs that are serving Black Hole from this spam run. Searching for the original malicious URL returns just one hit, and researchers from Kaspersky Lab looked at the content on the site and found some interesting things.
“What we find there is basically the same textual content as we had seen in the email but there is one difference: the contained link to the “hospital-cam” is currently still alive. It contains three links with *.js naming on yet another set of hosts,” Michael Molsner, a security researcher at Kaspersky Lab, wrote in an analysis of the attack.
“Checking these, we finally see what it is all about, namely a ‘Blackhole Exploit Kit’ serving URL – a drive-by approach to infect unprotected users ‘on the fly’.”
Black Hole is one of the more pernicious and popular exploit kits in use today. It’s been around for several years now, but for the first few years of its existence it was sold privately. But in 2011 there was a free version of Black Hole made available online, which provoked a sharp increase in the use of toolkit. It often is employed by attackers who first compromise a legitimate Web site and then install the Black Hole kit on the compromised server. The site is rigged to then fire exploits against visitors’ browsers to go after various vulnerabilities until one of them succeeds.
It’s a shotgun approach to exploitation and malware installation, and it’s been quite successful for a variety of attack groups. Drive-by downloads have been responsible for a lot of malware infections in recent years and the attackers behind these operations often rely on current events as a lure for the spam campaigns that direct visitors to the compromised sites. They’ll use whatever story happens to be in the news at the moment, whether it’s an election, a coup, a cat stuck in a tree or the birth of the heir to the British throne.
Image from Flickr photos of NASA Goddard Space Flight Center.