Wednesday, January 30, 2013

Facebook spam leads to Exploit Kit


To no wonders, the Blackhole Exploit Kit is still trying to infect users. One of the techniques commonly used is to send the victim an email from for example Facebook, Linkedin, Twitter, .... Asking to click on a link.

We'll take a small peek at those tactics. We received the following email:

You have received a new comment
















Hi ,
You have disabled your Facebook account. You can restore your account at any moment by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in usual way.
Thanks,
The Facebook Team


Obviously, Facebook didn't disable your account at all. There are some factors to easily determine this email is fake:

  • The 'From' field says it's from "Facebook", however, the sender is clearly 'nondrinker@iztzg.hr'.
  • Have you disabled your account? If not, then there's no reason to receive this mail.
  • The subject and the content of the email do not match.
  • Hovering over the links in the email reveals the real URL, which are not Facebook URLs.


When clicking on any of the links, you are presented (after several redirects) with the Blackhole Exploit Kit (aka BH EK). It tries to load a Java exploit on the machine by firstly detecting which plugin and Java version you are using:

PluginDetect
 








The payload? Probably ransomware or a Banker Trojan.


You can find the full JavaScript and the infection source on Pastebin :
http://pastebin.com/9PgDTXsb



Prevention

Use the NoScript add-on in Firefox or NotScripts in Chrome to prevent this.
Use the WOT add-on to check on the status of a website.
Use your common sense and ask yourself the proper questions (see below).
Use a URL scanner if you're unsure about a URL. Some examples are VirusTotal, URLvoid and URLquery.




Conclusion

As usual with this kind of emails, be alerted and always ask yourself the proper questions:

Why did this get in my Unwanted Email or Spam folder if I normally get Facebook mails in my normal Inbox?
Why would Facebook send me this when my account isn't disabled at all?
Why are those links not pointing to Facebook websites?
Why is the sender not from Facebook itself? What can I see in the headers?

Use your common sense, update your 3d-party applications as well as Windows, and use a decent antimalware and antivirus product.

No comments:

Post a Comment