Fake Apple invoices lead to Blackhole exploit kit that drains your bank account

Filed Under: Adobe, Adobe Flash, Apple, Data loss, Featured, Java, Malware, Oracle, PDF, Spam, Vulnerability

Online criminals targeting exploits is nothing new, but they are now taking a multi-pronged approach to compromising your security.

They are not just exploiting unpatched flaws in your applications; when that fails they convince you to infect yourself.

Take, for example, this email I received today pretending to be an invoice from Apple for a $699.99 postcard.

Apple spam invoice for $700 postcard

The social engineering isn't exactly perfect. I haven't been known by the Windows variable %email% in at least 10 years. Whoever is behind this has paid a lot of attention to detail, though.

The link "View/Download" ends in download.jpg.exe, while the "Cancel" and "Not your order" URLs end in check.php.

The smart social engineering bit is that, whether you are simply curious what this is about or furious about this unauthorized charge, you are still likely to click one of the links.

If you click any of the links, you are taken to an unrelated page proclaiming to be the IRS and saying you are not using a supported browser.

Black hole webpage

Once this page is displayed, in the typical fashion of the Blackhole exploit kit, it attempts to deliver exploits against Oracle Java, Adobe Flash Player and Adobe Reader. If any of these are successful, it infects your computer with the Zeus/ZBot Trojan.

Sophos ZBot detectionWorse yet, if none of these works, the image has links to download an "up to date" version of these browsers that simply downloads a file called update.exe.

If the recipient is exploited or downloads and executes the file they are infected with the Zeus/ZBot Trojan, which is designed to log your keystrokes and compromise your bank accounts.

It is always a bad idea to click links that appear in our inboxes, but we may be more likely to do so when we think we are being charged for an illegitimate transaction.

Don't do it. Like anything else, always be suspicious of things that come to you and use a trusted external method of verification.

Go to the website of the company in question, call the number on the back of your card or billing statement, etc.

This is especially important advice at this time of year, as we typically see increased criminal activity during the Christmas season. Be on your guard.

Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* Mal/ExpJS-AV: Blackhole exploit JavaScript.
* Troj/Pdfex-HM: Malicious PDF file.
* Troj/SWFExp-AI: Malicious Adobe Flash file.
* Mal/Zbot-JG: Banking Trojan payload.

, , , , , , ,

You might like

9 Responses to Fake Apple invoices lead to Blackhole exploit kit that drains your bank account

  1. And the exploit coincides quite nicely with the Apple one day sale

  2. Dada · 1053 days ago

    What format does the 'download.jpg.exe' actually look like if you try to open it? A jpg with .exe as a hidden extension or is it a .exe with that has the letters jpg in the name? If you understand what I mean.

    • It's an executable file that masquerades as a JPG by using a double-extension.

      On many people's computers the '.EXE' part of the name will not be displayed, because of how Windows is configured.

  3. Bastion · 1053 days ago

    These payload are EXEs, so can they infect a Mac? I thought Blackhole was cross-platform...

    If they cannot, what type of file is a Mac payload?

  4. Bill Caelli · 1053 days ago

    No surprises here - BUT - when will governments make DNSSEC COMPULSORY for the added protection of their citizens?? We have to be able to verify, reasonably, the SOURCE of any such correspondence, just like the old "from" on the back of an envelope in Her Majesty's post - BUT - better! (Right nw, for example, my DNSSEC add-in for Firefox is telling me that "nakedsecurity.sophos.com" is NOT TRUSTED (the Sophos domain is not DNS signed! However, Nominet states as follows, for UK domains,
    " To make DNSSEC an operational reality for .uk zones, the chain of trust has been extended to .uk second level domains. The implementation of DNSSEC on .uk second levels delegated to Nominet was completed on 18 May 2011 with the signing of .sch.uk. "

    We need some leadership from Sophos itself!

  5. eos · 1053 days ago

    So my best practice is to create defense in depth to stop crapware. IPfire as a content filter, and Sophos UTM 9 as a gateway firewall with IPS detection equals good luck calling home for malware.

  6. WindowsOnlyVirus · 1052 days ago

    Can you PLEASE lead off EVERY article --- the VERY FIRST SENTENCE --- regarding TROJANS, VIRII, & MALWARE with whether they exploit:

    - Windows & Macs
    - Windows, Macs, & Linux




  7. Jocca · 1051 days ago

    exe files do not run on Mac OS, unless you run Windows OS on your Mac which many people do.

  8. Novirus · 1050 days ago

    Alternatively, avoid all the grubby corporate monsters and never get targeted. :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.