Series Of Convincing Spam Runs Part Of One Massive Advanced Attack Campaign

Trend Micro researchers connect multiple spam attacks as single, targeted operation aimed at stealing online financial credentials

Recent widespread spam runs posing as convincing-looking email messages from LinkedIn, Facebook, ADP, American Express, US Airways, the U.S. Postal Service, UPS, and several other high-profile organizations are all part of a single, orchestrated attack campaign using the Blackhole exploit kit and aimed at stealing victims online financial credentials,
Dark Reading
has learned.
Researchers at Trend Micro say they found multiple common threads that tie the spam messages together as one effort by one cybercriminal group, or multiple groups working together. Its one operation probably run by two to three individuals very focused on the theft of financial credentials, and likely out of Eastern Europe, says Tom Kellermann, vice president of cybersecurity at Trend Micro. The attackers are using mostly Zeus and Cridex malware variants in the attacks via the Blackhole Exploit Kit, he says.
But this is not your fathers spam: The attackers blended phishing, spear-phishing, drive-by downloads, and traffic redirection all into one attack. Spam is not the right word for this, Kellermann says. I call this phenomenon blast phishing or dynamite phishing. And the attackers have done their homework on victims, as well, he says, targeting groups that have trusted relationships with specific organizations, for example.
They are correlating information [about you] before they target you, and they are trying to bypass security measures ... by redirecting traffic to legitimate sites that have been hosed, and then pushing you back into nefarious sites where they scan for vulnerabilities, Kellermann says. That ultimately leads them to grabbing the victims financial credentials via the exploits, he says.
Other well-known brands they are spoofing are Microsoft, Bank of America, AT&T, Citibank, Wells Fargo, Intuit, PayPal, the Apple Store, FedEx, HP ScanJet, CareerBuilder, Verizon, NACHA, Delta Airlines, FedWire, and CenturyLink. Trend Micro closely tracked the spam runs between April and June and was able to determine some key links among the seemingly separate spam runs.
The attack works like this: A user receives the fraudulent but convincing-looking email, and if he or she visits an embedded link in the message, then the victim is directed to a known and legitimate website that the attackers have compromised. (Trend Micro would not reveal which sites were hacked). A page there redirects the user to a malicious website or the landing page. There the users machine is scanned for potential vulnerabilities that, when found, can be exploited and infect the machine with the information-stealing malware.
Among the common characteristics in the various spam runs that led Trend to conclude the campaigns were all related was they used some of same botnets and, in many cases, the same IP address was used in the exploit kits on different days and compromised websites were reused in several attacks.
Websites that hosted a malicious Blackhole Exploit Kit landing page rarely hosted only one such page. Websites usually hosted several landing pages used in distinct spam runs. Spam runs frequently went on until the security holes that allowed websites to be compromised were patched, according to a report on the campaign that Trend will release tomorrow.
[ Obfuscated and encoded code prevents easy customization and creation of new versions of the Blackhole Exploit Kit. See
Freebie Black Hole Exploit Kit Limited By Encoding
. ]
There are similar URL patterns in the spam runs and on the compromised websites, too, and the attackers used similar exploit methods -- mostly Zeus (66 percent of the attacks) and Cridex (29 percent of the attacks). Taken together, the conclusions indicate that the series of spam runs make up a coherent campaign that is being carried out by attackers who are organized in some manner, the Trend researchers wrote in their report.
The attackers also scheduled organized runs on certain days and in various volumes. In June, for example, they executed 134 different spam runs posing as 40 different companies, while in May they ran 66 separate spam runs posing as 21 different companies. And meanwhile, the attacks are still under way.
Its worrisome that this exploit kit and this campaign kill chain could be leveraged for something more nefarious than stealing financial credentials, Trend Micros Kellermann says.
And still unclear is just how they targeted their victims: Did they compromise any of the organizations they spoofed, or did they hack a third party with those email addresses or customer names? Trends Kellermann says his firm has no evidence of either scenario, but the bad guys had to have some source of intelligence for their targets. Thats the real question we have to ask ourselves, Kellermann says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Series Of Convincing Spam Runs Part Of One Massive Advanced Attack Campaign