How Exploit Kits Changed Spammers’ Writing

Behold, the power of tools: The wide availability of browser exploit kits has changed how spammers write their emails.

Instead of appeals to urgency and epic level, the hip spammer of today writes low-key, “your statement is available online.” Whereas the goal used to be the user typing all their sensitive data into a web form, nowdays they just want the user to click on a link. The exploit kit then drops malware which hoovers up the victim’s data.

And I’ll bet a lot more people fall for the new kind of attack, too.

Those who invented the Blackhole kit almost certainly had no idea their concept would have such an impact. But technology is a force multiplier which works as well for evil as for good, and so a little bit of software has streamlined an entire category of fraud.

I’m trying to imagine what it would be like if someone came up with a defensive equivalent.

“Spammers used to depend on email recipients to tie the noose around their own necks by inputing their personal and financial information in credible spoofs of legitimate websites, but with the advent of exploit kits, that technique is slowly getting sidelined.

Prompted by the rise in numbers of spam runs leading to pages hosting exploit kits, Trend Micro researchers have recently been investigating a number of high-volume spam runs using the Blackhole exploit kit.

According to them, the phishing messages of today have far less urgency and the message is implicit: “Your statement is available online”; or “Incoming payment received”, or “Password reset notification.”

“In many cases these messages are identical to the legitimate messages sent by the legitimate organization,” they pointed out. “Sometimes, the only difference between the legitimate version of the email and the phished version is the bad link.[…]

As previously mentioned, the malicious payloads delivered through the exploit kit are mostly information stealing malware with additional backdoor capabilities: Zeus in 66 percent of the cases and Cridex in 29 percent.

The researchers have analyzed 245 spam runs leading to the Blackhole kit started in April, May and June

They have come to believe that all of these attacks were conducted by a single group or several groups acting in concert with one another, since the botnets sending out spam had a high degree of overlap from one day to the next, compromised sites were used and reused from one attack to another, and the exploit methods used in attacks were similar”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: