MalwareCleaning

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, January 30, 2013

Facebook spam leads to Exploit Kit

Posted on 3:08 AM by Unknown

To no wonders, the Blackhole Exploit Kit is still trying to infect users. One of the techniques commonly used is to send the victim an email from for example Facebook, Linkedin, Twitter, .... Asking to click on a link.

We'll take a small peek at those tactics. We received the following email:

You have received a new comment
















Hi ,
You have disabled your Facebook account. You can restore your account at any moment by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in usual way.
Thanks,
The Facebook Team


Obviously, Facebook didn't disable your account at all. There are some factors to easily determine this email is fake:

  • The 'From' field says it's from "Facebook", however, the sender is clearly 'nondrinker@iztzg.hr'.
  • Have you disabled your account? If not, then there's no reason to receive this mail.
  • The subject and the content of the email do not match.
  • Hovering over the links in the email reveals the real URL, which are not Facebook URLs.


When clicking on any of the links, you are presented (after several redirects) with the Blackhole Exploit Kit (aka BH EK). It tries to load a Java exploit on the machine by firstly detecting which plugin and Java version you are using:

PluginDetect
 








The payload? Probably ransomware or a Banker Trojan.


You can find the full JavaScript and the infection source on Pastebin :
http://pastebin.com/9PgDTXsb



Prevention

Use the NoScript add-on in Firefox or NotScripts in Chrome to prevent this.
Use the WOT add-on to check on the status of a website.
Use your common sense and ask yourself the proper questions (see below).
Use a URL scanner if you're unsure about a URL. Some examples are VirusTotal, URLvoid and URLquery.




Conclusion

As usual with this kind of emails, be alerted and always ask yourself the proper questions:

Why did this get in my Unwanted Email or Spam folder if I normally get Facebook mails in my normal Inbox?
Why would Facebook send me this when my account isn't disabled at all?
Why are those links not pointing to Facebook websites?
Why is the sender not from Facebook itself? What can I see in the headers?

Use your common sense, update your 3d-party applications as well as Windows, and use a decent antimalware and antivirus product.

Email ThisBlogThis!Share to XShare to Facebook
Posted in blackhole exploit kit, blog update, exploit, facebook, Facebook spam, java exploit, malware | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • League of Legends RP hack
    I recently blogged about a (still current) scam targeting players of the online game League of Legends: Free Riot codes scam . When re-check...
  • test for the blog
    Just testing ... :-)
  • Gina Lisa Facebook scam
    Yet another Facebook scam, this time luring users with a sextape from Gina Lisa, whom is apparently a German model: Yet another Facebook sca...
  • Increase in malicious spam
    Rodel Mendrez from M86 Security labs has made an excellent post on a Massive Rise in Malicious Spam: http://labs.m86security.com/2011/08/mas...
  • Facebook Support. Personal data has been changed!
    There appears to be a new malicious email being sent out with the subject: " Facebook Support. Personal data has been changed! ID7530...
  • FedEx spam loads malware
    Received an email from (supposedly) FedEx today, seems my parcel was unable to be delivered: Print your receipt!     Mail details: Subject: ...
  • Analysing malicious PDF files
    This is an ongoing blogpost on how to analyse malicious PDF files... More information coming soon... Content coming soon! [...] Source of PD...
  • A word on XDocCrypt/Dorifel/Quervar
    I'm sure everyone has heard by now about the so called XDocCrypt/Dorifel/Quervar malware. It has mostly damaged machines in The Netherla...
  • Malware Puzzle
    A malware (crossword) puzzle you say? Yes! Why not? I've made a puzzle about malware (and security) related keywords. It comes in .PNG f...
  • [SPAM] He found himself leading the process
    Nothing new here, but interesting to note that this type of trick is still going around. I am talking about an email you receive with (appar...

Categories

  • ACH transfer
  • adobe
  • adobe exploit
  • ADP
  • adware
  • affiliate
  • all your data are belong to us
  • antimalware
  • asprox
  • bancos
  • banking trojan
  • basic malware cleaning
  • battle.net
  • blackhole exploit kit
  • blog update
  • botnet
  • brazilian banking trojan
  • brucon
  • change facebook color
  • conduit
  • cracked hotmail
  • credit card blocked
  • crimeware kit
  • CVE-2006-0003
  • CVE-2010-0840
  • CVE-2012-4681
  • cybercrime
  • d3
  • diablo
  • diablo III
  • diablo phishing
  • DLL injection
  • Dorifel
  • dorkbot
  • encryption
  • end of july
  • exploit
  • exploit kit
  • exprez
  • facebook
  • facebook dislike button
  • facebook event
  • facebook scam
  • Facebook spam
  • facepalm
  • Fake Symantec security check
  • fakeAV
  • fareit
  • FedEx
  • FedEx spam
  • first post
  • flv media player
  • foistware
  • free riot code scam
  • free riot codes
  • free riot points
  • free riot points scam
  • free RP generator
  • fun
  • gina lisa
  • google earth
  • google image poisoning
  • google images
  • hacked hotmail
  • Hacked Hotmail accounts
  • hakin9
  • Hewlett-Packard ScanJet
  • hotfile
  • hotmail
  • illegal games
  • infostealer
  • ING
  • IP and RP Hack Download
  • java
  • java exploit
  • kuluoz
  • lame old malware
  • League of Legends
  • League of Legends MultiHack Generator
  • League of Legends RP generator
  • League of Legends RP hack
  • linkedIN
  • LoL
  • LoL RP Hack
  • low detection
  • malvertising
  • malware
  • malware analysis
  • malware analysis lab
  • malware cleaning
  • malware lab
  • malware puzzle
  • malware tools
  • medfos
  • messenger
  • MSN
  • neosploit exploit kit
  • paypal
  • paypal spammail
  • PC Speed Maximizer
  • pcspeedplus
  • PDF
  • phishing
  • poker games
  • potentially unwanted program
  • pricegong
  • PUP
  • pushdo
  • Quervar
  • Question and Answer
  • rabobank
  • ransomware
  • rapidshare
  • redkit exploit kit
  • RemovalTool.exe
  • Riot codes scam
  • Riot points scam
  • roguevertising
  • rogueware
  • rootkit
  • sasfis
  • scam
  • scareware
  • security
  • security conference
  • security.nl
  • skype
  • skype worm
  • social engineering
  • spam
  • spear phishing
  • spim
  • survey scam
  • team cymru
  • technoviking
  • tepfer
  • test
  • trojan
  • twitter
  • United Parcel Service
  • UPS
  • UPS spam
  • verizon spam
  • video
  • vmware
  • wellsfargo
  • whitesmoke
  • Windows Antibreaking System
  • windows live
  • WinMHR
  • worm
  • XDocCrypt
  • yontoo
  • youtube
  • youtube comment spam
  • youtube spam
  • youtube top comments
  • zeus

Blog Archive

  • ▼  2013 (18)
    • ►  September (2)
    • ►  August (2)
    • ►  July (1)
    • ►  June (3)
    • ►  May (2)
    • ►  April (1)
    • ►  March (1)
    • ►  February (3)
    • ▼  January (3)
      • Facebook spam leads to Exploit Kit
      • Analysing malicious PDF files
      • About YouTube top comments
  • ►  2012 (14)
    • ►  November (1)
    • ►  October (2)
    • ►  September (2)
    • ►  August (3)
    • ►  July (1)
    • ►  June (2)
    • ►  April (3)
  • ►  2011 (15)
    • ►  December (1)
    • ►  September (1)
    • ►  June (1)
    • ►  April (3)
    • ►  March (1)
    • ►  February (5)
    • ►  January (3)
  • ►  2010 (14)
    • ►  December (3)
    • ►  November (1)
    • ►  October (6)
    • ►  September (2)
    • ►  August (1)
    • ►  March (1)
Powered by Blogger.

About Me

Unknown
View my complete profile