Now, Symantec has found a site purporting to host the new version – but has found that all is not what it appears. The site is apparently designed to lure hackers in – and serve them ads for related hacker services.
“Recently we were very surprised when we found a website hosting what is supposed to be version 2.0 of the BlackHole Exploit Kit,” Symantec researcher Andrea Lelli explained in the company blog. “Naturally, we started investigating and soon discovered that something about the website was not right.”
For one, the statistics page of the “new” exploit kit looked suspiciously non-updated from the original. The only difference is a BlackHole v.2.0 label at the bottom, and a series of advertisements in Russian at the top. In other words, the page is simply using the Blackhole 2.0 name as bait to lure users into visiting the page, just as spammers often use names of famous people or the latest news events to try to lure users into reading emails.
The ads are clearly aimed at cybercriminals who would be interested in using an exploit kit and who would need an infrastructure for hosting it, Lelli concluded. The ads are for a service for registering domain names, one for server hosting and another for encrypting JavaScript and iframes. Symantec translated one of the ads to read: “Dedicated servers in its own data center in Syria under any projects. Experience 6 + years in the market. Quality sounds! ;-)”
“Altogether these services could offer cybercriminals a complete infrastructure to be used for hosting cybercrime operations,” said Lelli. “In fact, the website advertising encryption and the one advertising domain registering are both well known for providing infrastructures aimed at ‘dirty ops.’ "
“I wonder if the BlackHole author will file a copyright complaint!”, the blogger wryly added.