The inner workings of a phishing scam
Contributed by: Email on 05/03/2012 11:10 AM
[
Comments
]
One of the more recent high-volume spam runs that sent users to a website compromised with the Black Hole exploit kit, used various names, such as Facebook, US Airways, Linkedin and USPS. A more recent attach was named CareerBuilder.
The main components of the scam are the following:
• Phishing messages using the names of various organizations spread via email to targets predominantly in the United States. The content of these phishing e-mails were practically indistinguishable from legitimate messages.
• Links in these messages led to multiple compromised websites that redirected the user to various malicious sites. Collectively, these compromised sites numbered in the thousands.
• Users were eventually directed to sites containing the Black Hole exploit kit.
In the case of the Facebook lure attack, which consisted of a fake friend request sent to the victim, the link in the spam goes to various compromised web sites. Identified so far: more than 2,000 distinct URLs used in this attack, distributed over 374 domains. On average, each compromised domain hosted 5 separate malicious landing pages.
There is evidence that all these spam attacks are linked. The same set of compromised URL's were used in many cases, suggesting that some of the attackers responsible for these attacks are identical, if not the same group.
In the entire realm of things, these attacks were not particularly high as far as spam attacks go. The largest of these attacks were those that used US Airways, which peaked at approximately 1% of all email sent. However, due to their persistence they still pose a serious threat to users. The goal of these attacks is to install ZeuS variants onto user systems, in order to steal the information of users.
The main components of the scam are the following:
• Phishing messages using the names of various organizations spread via email to targets predominantly in the United States. The content of these phishing e-mails were practically indistinguishable from legitimate messages.
• Links in these messages led to multiple compromised websites that redirected the user to various malicious sites. Collectively, these compromised sites numbered in the thousands.
• Users were eventually directed to sites containing the Black Hole exploit kit.
In the case of the Facebook lure attack, which consisted of a fake friend request sent to the victim, the link in the spam goes to various compromised web sites. Identified so far: more than 2,000 distinct URLs used in this attack, distributed over 374 domains. On average, each compromised domain hosted 5 separate malicious landing pages.
There is evidence that all these spam attacks are linked. The same set of compromised URL's were used in many cases, suggesting that some of the attackers responsible for these attacks are identical, if not the same group.
In the entire realm of things, these attacks were not particularly high as far as spam attacks go. The largest of these attacks were those that used US Airways, which peaked at approximately 1% of all email sent. However, due to their persistence they still pose a serious threat to users. The goal of these attacks is to install ZeuS variants onto user systems, in order to steal the information of users.
Comments
