Intuit phishing campaign has been started today. The structure and concept of the attack is the same as discussed earlier. Let's dissect the details of this campaign. The email comes to your inbox in the format as presented below:
The accompanied link is : hxxp://numerodedicato.altervista.org/blog/wp-content/uploads/fgallery/updint.html. On visiting the link, the user finds a webpage with a following layout:
The obfuscation provided us with an iframe that is downloading content from the following URL: hxxp://roadmateremove.org/main.php?page=9bb4aab85fa703f5
The obfuscated plugin script is here : http://pastebin.com/biZnVwMD
The deobfuscated plugin script is here : http://pastebin.com/hsKKn6EP
Many of the AV engines shows this website as benign. But, this domain hosting a BH exploit Pack. Let's see further:
On deobfuscation we get an applet code as follows:
Something seems suspicious, with Pre.jar file here. Further, the request to this link : hxxp://roadmateremove.org/data/hhcp.php?c=8896e loads the iframe for the plugin detection code. On successful verification and fingerprinting the Pre.jar file is served on the vulnerable systems. A quick check on virus-total only provides a reference to Blackhole exploit.
Definitely a Java exploit in action.
This analysis is based on a specific link accompanied with this sample. The embedded links might change with other phishing emails.