Online criminals targeting exploits is nothing new, but they are now taking a multi-pronged approach to compromising your security.
They are not just exploiting unpatched flaws in your applications; when that fails they convince you to infect yourself.
Take, for example, this email I received today pretending to be an invoice from Apple for a $699.99 postcard.
The social engineering isn’t exactly perfect. I haven’t been known by the Windows variable %email% in at least 10 years. Whoever is behind this has paid a lot of attention to detail, though.
The link “View/Download” ends in download.jpg.exe, while the “Cancel” and “Not your order” URLs end in check.php.
The smart social engineering bit is that, whether you are simply curious what this is about or furious about this unauthorized charge, you are still likely to click one of the links.
If you click any of the links, you are taken to an unrelated page proclaiming to be the IRS and saying you are not using a supported browser.
Once this page is displayed, in the typical fashion of the Blackhole exploit kit, it attempts to deliver exploits against Oracle Java, Adobe Flash Player and Adobe Reader. If any of these are successful, it infects your computer with the Zeus/ZBot Trojan.
Worse yet, if none of these works, the image has links to download an “up to date” version of these browsers that simply downloads a file called update.exe.
If the recipient is exploited or downloads and executes the file they are infected with the Zeus/ZBot Trojan, which is designed to log your keystrokes and compromise your bank accounts.
It is always a bad idea to click links that appear in our inboxes, but we may be more likely to do so when we think we are being charged for an illegitimate transaction.
Don’t do it. Like anything else, always be suspicious of things that come to you and use a trusted external method of verification.
Go to the website of the company in question, call the number on the back of your card or billing statement, etc.
This is especially important advice at this time of year, as we typically see increased criminal activity during the Christmas season. Be on your guard.
* Troj/Pdfex-HM: Malicious PDF file.
* Troj/SWFExp-AI: Malicious Adobe Flash file.
* Mal/Zbot-JG: Banking Trojan payload.
9 comments on “Fake Apple invoices lead to Blackhole exploit kit that drains your bank account”
And the exploit coincides quite nicely with the Apple one day sale
What format does the 'download.jpg.exe' actually look like if you try to open it? A jpg with .exe as a hidden extension or is it a .exe with that has the letters jpg in the name? If you understand what I mean.
It's an executable file that masquerades as a JPG by using a double-extension.
On many people's computers the '.EXE' part of the name will not be displayed, because of how Windows is configured.
These payload are EXEs, so can they infect a Mac? I thought Blackhole was cross-platform…
If they cannot, what type of file is a Mac payload?
No surprises here – BUT – when will governments make DNSSEC COMPULSORY for the added protection of their citizens?? We have to be able to verify, reasonably, the SOURCE of any such correspondence, just like the old "from" on the back of an envelope in Her Majesty's post – BUT – better! (Right nw, for example, my DNSSEC add-in for Firefox is telling me that "nakedsecurity.sophos.com" is NOT TRUSTED (the Sophos domain is not DNS signed! However, Nominet states as follows, for UK domains,
" To make DNSSEC an operational reality for .uk zones, the chain of trust has been extended to .uk second level domains. The implementation of DNSSEC on .uk second levels delegated to Nominet was completed on 18 May 2011 with the signing of .sch.uk. "
We need some leadership from Sophos itself!
So my best practice is to create defense in depth to stop crapware. IPfire as a content filter, and Sophos UTM 9 as a gateway firewall with IPS detection equals good luck calling home for malware.
Can you PLEASE lead off EVERY article — the VERY FIRST SENTENCE — regarding TROJANS, VIRII, & MALWARE with whether they exploit:
– Windows & Macs
– Windows, Macs, & Linux
– JUST WINDOWS!!!
exe files do not run on Mac OS, unless you run Windows OS on your Mac which many people do.
Alternatively, avoid all the grubby corporate monsters and never get targeted. 🙂