Two particular campaigns have been noted. Late in August Microsoft began to mail out a change to its Services Agreement. This email has now been spoofed (the original can be seen here). In the malicious version the legitimate Microsoft links have been changed to direct the user to a site hosting the Blackhole exploit kit including the Java exploit. If successful – and remember that Blackhole contains many alternative exploits – the user is infected with a new Zeus variant.
Seculert has some figures on the effectiveness of the Java exploit in the days prior to Oracle’s patch. “Usually, a good exploit kit like BlackHole has a success rate of around 10 percent for infecting machines visiting the servers,” it reports. “In the new version of BlackHole infection servers, we have seen up to a 25 percent success rate!”
In the second campaign, Websense has detected emails pretending to be order verifications from Amazon. The company reported yesterday that it had detected 10,000 malicious emails with the subject ‘You Order With Amazon.com.’ The content requests the user to “Please click here and verify your order #3617779 with Amazon.com.” The ‘click here’ link ultimately takes the user to a Blackhole page.
The 0-day Java exploit used with these campaigns has now been patched by Oracle. However, Security Explorations, the company that originally discovered the exploit as well as the new sandbox bypass flaw, has pointed out that not all of the vulnerabilities it discovered have yet been patched by Oracle.
Users are therefore still being advised to disable Java wherever possible. Other recommendations are to remain watchful for indications of anything suspicious (such as the grammatical error in the false Amazon email, using ‘You’ rather than ‘Your’); and to hover the cursor over links to check their validity before clicking them. Needless to say, anti-virus defenses should be kept up to date: that way, even if Blackhole manages to infect a computer, the infection itself may be detected and cleansed.