Blackhole Exploit Hones in on Amazon Users

Last week, our friends at ThreatPost posted about the ever-growing infection of websites hosting Black Hole Exploit Kits. A Black Hole exploit takes advantage of unpatched Windows operating systems. It also targets other software, such as Java and Adobe Reader, that can be installed on Windows platforms, which are a lot. Since the kits are already available in the black market (for free), we can only expect more infections and news surrounding this particular kit.

And, oh: Facebook users should watch their backs, too.

Our malware researchers at the AV Labs, Robert and Matthew, has seen something in the wild that might spoil the holiday spirits a bit. It began as an email message supposedly from Amazon with the subject "Your Amazon.com order of Omron WXH-108F Fat Loss... has shipped".

click to enlarge

Clicking any of the links on the email body directs users to jongerencentrumdebus(dot)nl/wp-content/uploads/fgallery/news.html, a likely compromised site, and then directs to ageoloft(dot)info/main(dot)php?page=525447c096f8efbf, a known Black Hole Exploit Kit host.

click to enlarge

The said ageoloft(dot)info automatically downloads a .PDF file (an exploit) onto systems. This then exploits Adobe Reader to run malicious executable files on these systems. Furthermore, a worm, which GFI Software detects as Win32.Malware!Drop, is downloaded onto systems.

We detect the exploit page as Trojan.JS.Obfuscator.w (v); the PDF file that is part of the kit, Exploit.PDF-JS.Gen (v).

With the number of Internet users shopping online using services such as Amazon and eBay, it pays to be cautious fourfold, especially at this time of the year. Criminals know when and how users—you—spend their time there.

Jovi Umawing (Thanks to Robert and Matthew)