Blackhole, says Christopher Boyd, senior threat researcher at GFI Software, “is the chameleon of internet threats. It simplifies the process of creating cybercrime campaigns and is easily adapted to take advantage of the buzz surrounding major news events and popular brands.” It is also easily adapted to target specific users or specific companies with specific malware.
The Blackhole exploit kit is possibly the most widely used and successful criminal infection kit in use today. It requires that victims first visit a malicious or compromised website containing obfuscated JavaScript. The JavaScript scans the visiting browser looking for potential vulnerabilities, and then attempts to exploit those vulnerabilities. If successful, the visitor will be infected with the malware of choice for this particular Blackhole landing page.
Blackhole campaigns are consequently frequently based around spam emails seeking to socially engineer the target into visiting the malicious landing page. Newsworthy topics, or subjects of interest to a large number of users are often used. This happened in October. Just prior to the release of Windows 8, some users received an email offering a free license. But, comments GFI, “Users who clicked the malicious link and downloaded the accompanying file were hit with a Blackhole exploit and infected with a Cridex Trojan” rather than a free copy of Windows 8.
Skype, the chat and VOIP firm now part of Microsoft, was also used. Statistic Brain reports that there were 31 million Skype users in January 2012; Skype itself now says that at peak times it has 40 million users online. According to GFI, Skype was used as the basis for numerous malicious campaigns in October. One that led to a Blackhole site comprised emails purporting to be Skype voicemail notifications – but instead delivered a Zeus trojan.
Facebook was also used with an email claiming that the user’s Facebook account had been closed and needed to be re-verified. That re-verification again delivered a Zeus trojan. “Luckily,” says Boyd, “these attacks are relatively easy to avoid by incorporating basic internet safety practices into daily browsing. Users should verify the source and destination of any link before clicking and they should never run executable files unless they are positive that the source is legitimate.”