Fake Apple invoices lead to Blackhole exploit kit that drains your bank account

Online criminals targeting exploits is nothing new, but they are now taking a multi-pronged approach to compromising your security.

They are not just exploiting unpatched flaws in your applications; when that fails they convince you to infect yourself.

Take, for example, this email I received today pretending to be an invoice from Apple for a $699.99 postcard.

Apple spam invoice for $700 postcard

The social engineering isn’t exactly perfect. I haven’t been known by the Windows variable %email% in at least 10 years. Whoever is behind this has paid a lot of attention to detail, though.

The link “View/Download” ends in download.jpg.exe, while the “Cancel” and “Not your order” URLs end in check.php.

The smart social engineering bit is that, whether you are simply curious what this is about or furious about this unauthorized charge, you are still likely to click one of the links.

If you click any of the links, you are taken to an unrelated page proclaiming to be the IRS and saying you are not using a supported browser.

Black hole webpage

Once this page is displayed, in the typical fashion of the Blackhole exploit kit, it attempts to deliver exploits against Oracle Java, Adobe Flash Player and Adobe Reader. If any of these are successful, it infects your computer with the Zeus/ZBot Trojan.

Sophos ZBot detectionWorse yet, if none of these works, the image has links to download an “up to date” version of these browsers that simply downloads a file called update.exe.

If the recipient is exploited or downloads and executes the file they are infected with the Zeus/ZBot Trojan, which is designed to log your keystrokes and compromise your bank accounts.

It is always a bad idea to click links that appear in our inboxes, but we may be more likely to do so when we think we are being charged for an illegitimate transaction.

Don’t do it. Like anything else, always be suspicious of things that come to you and use a trusted external method of verification.

Go to the website of the company in question, call the number on the back of your card or billing statement, etc.

This is especially important advice at this time of year, as we typically see increased criminal activity during the Christmas season. Be on your guard.

Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* Mal/ExpJS-AV: Blackhole exploit JavaScript.
* Troj/Pdfex-HM: Malicious PDF file.
* Troj/SWFExp-AI: Malicious Adobe Flash file.
* Mal/Zbot-JG: Banking Trojan payload.