We are often asked whether we have any way of knowing how successful a particular malware or spam campaign has been. We assume that the “other side” tracks this sort of thing to see what social engineering works, and which material escapes spam and malware checks. (If any spammer is reading this – we would be happy to publish some of your data). Since we don’t have access to accurate statistics, we can only base our assessment on the similarities of successive attacks, i.e.: if an attacker repeats a particular method or theme then we can assume that it has been successful enough in the past to warrant repeating. Some examples of recurring themes used to trick recipients:
- UPS, DHL, FedEx package notification – often accompanied by an attached “document” that is actually executable malware. This is a good example of a theme that we assume would have run its course – who on earth does not know that they should ignore/delete these emails. The continued use indicates that it must still be working.
- IRS tax return error – used with attached malware and then with links to malware (mostly Zeus) – several times in 2011 and again this year
- Facebook notifications – that link to pharmacy webpages. With occasional deviations such as the “Facebook social integration with Digg”
More difficult to spot are recurring methods. These use different social engineering themes but with the same modus operandi. One malware sending group is clearly happy with the method they have created. Having seen it repeated very often this year we can summarize the process:
- Hack legitimate website
- Create new subfolder with random 6 or 8-letter/number name (this is the clearest indication that the same group is at work again and again)
- Insert file “index.html” into new folder with redirect to domain that hosts blackhole exploit kit
- Think up new theme to trick users into clicking link – usually something account/money related. Examples: Verizon Wireless, ACH transfer rejected, AT&T Wireless.
The latest attacks come in the form of bill payments from Wells Fargo and payment reminders from ADP Dealer Services. All links (including the Wells Fargo “Fraud information center”) follow the proven pattern:
The Blackhole Exploit Kit, in the form of obfuscated JavaScript on the final destination page, assesses the exploitable versions of various browsers and add-ons and executes appropriate payloads that start a process of downloading further malware onto the victim’s computer.
If you’ve spotted a series like this feel free to tell us about it in the comments.