Monday, August 6, 2012

AT&T Phishing Attack - BlackHole Back in Action

Attackers are using legitimate organizations' brand names to distribute phishing emails to a large sections of users. This time AT&T brand name is used to deliver phishing emails. We  have been receiving these emails continuously. These first attempt made by the phisher was failed because the injected links were not embedded in a right manner which results in useless phishing attempt. The very next day, we received the similar email but this time phishers were right at the target. The second time email contained malicious links. Let's have a look at the phishing email message:


On surfing the embedded links, the browsers was forced to visit the malicious domain as presented below:

This page contains obfuscated malicious iframe that renders dynamically to load a plugin detection script from third-party domain that fingerprinted the users' environment and served the required exploit. Blackhole BEP exploit has been used to distribute exploits against vulnerable browsers and plugins. The iframe loads the webpage which contains plugin detection script. The page shows a redirection message as follows:

The HTML content of the phishing email is pasted here -

The malicious script (deobfuscated) can be found here :

This link - hxxp:// loads the plugin fingerprinting script and connects back with BlackHole BEP.

This host (IP) has been used to register different domain names that have been used for spreading malware using BlackHole. Query here -

These emails are delivered as legitimate and spam detection engine fails to provide any protection. Try not to fall prey to these phishing attempts.