Email Phishing Attacks On Facebook/Paypal/Amex

  • Largest phishing campaign for 2012 so far
  • 290+ web domains affected
  • Black Hole kit installs ZeuS malware

Trend Micro has announced that a four-month email phishing campaign has been using a sophisticated, targeted approach to attack high-profile companies such as Facebook, American Express Australia, PayPal, US Airways, Citibank, and Intuit.

The campaign has been generating high volumes of spam emails with content that is difficult for end users to distinguish from legitimate messages from well-known organisations.  The emails send users to websites compromised by the infamous Black Hole exploit kit, which installs the ZeuS malware onto user systems in order to steal sensitive information.

The attacks have been tracked by Trend Micro threat researchers, who believe that the campaigns are linked. Dr Jon Oliver, a Melbourne-based Senior Global Threat Researcher for Trend Micro, said the campaign is well executed – using techniques to avoid filters and using social engineering tricks to entice users to click on the malicious links.

“This is the largest phishing campaign we’ve seen so far this year and is notable for its size, sophistication and persistence. In April phishing emails pretending to be from US Airways accounted for more than one percent of the world’s total email traffic. In an outbreak last month, 1,960 compromised pages were detected across 291 compromised web domains. In a recent attack cybercriminals targeted American Express Australia,” said Dr Oliver.

“While the overall volume of spam may be around 20 percent lower this year than in 2011 due to several well-publicised takedowns last year, cybercriminals are now employing new techniques to circumvent anti-spam defences.  Greater numbers of smaller botnets are being used and the variables in the attacks, such as links going to compromised webservers, make it harder for spam filters to detect the related links,” he said.

Cybercriminals have hacked into the servers running the websites of legitimate organisations and inserted pages, using obfuscated Java script, that redirect the user to the landing page of the exploit kit.

The Black Hole kit attempts to exploit Adobe PDF Reader, Flash, or Java software on the user’s system. If one of the exploits works, as when the software has not been updated, then the user will receive the actual malware payload.

“The emails we’re seeing are highly intelligent and well-crafted phishing messages that gain the trust of users. The format and wording are made to look exactly the same as legitimate messages from these companies, which is why they are difficult to detect using traditional methods,” said Dr Oliver.