Blackhole malware attack poses as rejected wire transfer email

Filed Under: Featured, Malware, Spam

Wire money neon sign. Image from ShutterstockSophosLabs is intercepting a wave of malicious emails that have been spammed out around the world, luring unsuspecting internet users into clicking on a malicious attachment.

The emails all claim to be related to a rejected wire transfer. Although most savvy computer users would realise that unsolicited email is unlikely to be legitimate, there are some who might be vulnerable or merely curious enough to click on the HTML attachment, not realising that it can cause problems for their PC.

Here's a typical example of an email we have intercepted.

Malicious wire transfer email

The subject lines used in the malicious spam campaign can vary, but are all related to a "Wire Transfer Confirmation" (some give a reference number in an attempt to make the message appear more official).

Here is a small selection of the subject lines we saw at SophosLabs during the space of just one minute.

Malicious wire transfer email subject lines

Attached to each email is a file called Wire_AMBA01-Rejected.htm, which Sophos products detect as Troj/JSAgent-CK.

To the casual observer, the file may seem harmless enough - displaying a message saying

"Please wait a moment. You will be forwarded...".

Segment of code

But it's the next section of the HTML code which is interesting. A script deciphers a sequence of numbers into code which the computer then executes.

SophosLabs researchers have tools which help them deobfuscate code like this, to find out what it's really planning to do..

Deobfuscated code

If your computer isn't properly protected, you will be redirected to a hacked Russian website which is playing host to the Blackhole exploit kit - within seconds your computer will most likely be infected by malware.

A few days ago we saw an attack in a similar vein, with a fake Facebook photo tag notification using the Blackhole kit to exploit computers.

As ever, keep your security up-to-date. That not only means running an up-to-date anti-virus, but also ensuring that you have the latest operating system and application patches in place.

Finally, remember to have a spoonful of common sense each morning - and consign unwanted, unsolicited emails to the trash can rather than clicking on any links or attachments that they may contain.

Wire money neon sign image, courtesy of Shutterstock.

, , ,

You might like

6 Responses to Blackhole malware attack poses as rejected wire transfer email

  1. Soshimo · 1171 days ago

    Nice write up Graham. Very informative and accurate. I was especially impressed with the analysis of the javascript. You sir are a true champion for those of us who are not as savy in security related matters.

  2. lewis · 1171 days ago

    great read and is the site hosting the bh exploit been hacked and been exploited or is just been hosted and some kind of bullet proof hosting.

    I also seen a fb application the otherday that directs victims to a website infected with the new orange peel exploit pack.

    They need to target more of these so called bulletproof hosting.

  3. internet explorer · 1170 days ago

    Don't you need to tell us why you "obfuscated" the FROM line in the example you showed? It could be important to know especially if it is taken from our contact list or is a major bank or whatever. Thanks.

  4. Jenny · 1166 days ago

    I'm a bit confused.

    First, I didn't realise that AV could detect problems in .HTM / .HTML files rather than in executable.

    Second, am I correct to think that the document.write loads the iframe from the ru site?


    • Paul Ducklin · 1166 days ago

      To your first question, "Yes."

      Anti-virus software (or anti-malware as it's probably better to describe it these days, lest pedants and purists point out that it no longer blocks only viruses :-) needs to look in all sorts of places these days.

      Not just EXEs, but all sorts of file - Java, JavaScript, HTML, DOC, PDF and many more besides - may contain actively malicious content, or some sort of trigger component which makes your computer go and fetch malicious content without your consent or approval.

      To your second question, "Yes."

      Or, "Sort of yes". The document.write() injects the IFRAME into the currently-rendering web page, where your browser consumes and processes it _as if it had been in the web page from the start_. Since the IFRAME references a URL on the .ru site, content gets slurped in from there by your browser.

      Strictly speaking, therefore, the document.write() command inside the browser's JavaScript engine doesn't directly trigger the download. But it certainly causes it to happen, albeit after the document.write() has done its job.


  5. Linda · 1059 days ago

    I have gotten two of these, both following a request to transfer funds from my bank to my credit union account at a different location. I, of course did not click the links. It shows up in my spam email account. But find it quite ironic that it happened both times within a day of my transfer request stated above. Do I need to alert my banking facilities???

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley