New wave of phishing attacks serves malware to PCs and Macs

New wave of phishing attacks serves malware to PCs and Macs

Summary: Malware distributors have launched a new wave of attacks aimed at taking over unpatched PCs and Macs. They look like routine messages from a bank or a social network, but instead of phishing for passwords, they're serving up malware.


In the past few weeks, I’ve noticed an alarming increase in fraudulent email messages coming to some old, well-established email addresses of mine.

It’s not just the quantity of messages that’s noteworthy, it’s the quality as well. This particular wave of attacks includes some attacks that are frighteningly real looking. And they’re being used to serve up a toxic brew of malware to unprotected systems.

Consider these two examples of messages I received this week. The first appears to be a fraud alert from American Express:

It has all the right logos, and the wording has the same professional tone and grammatical accuracy I would expect of a legitimate communication from American Express. Unlike many phishing messages, this one made me look much more closely, and I suspect that the click-through rate was higher than most such attempts.


In the screenshot above, I’ve rested the mouse pointer over one of the links in the message. It doesn’t lead to an official AmEx site, but rather to a compromised site hosted at a domain in the Czech Republic.

Even more interesting is the destination. Historically, phishing attacks try to re-create a legitimate site, with the goal of convincing the victim to enter his or her username and password. Clicking this link led to a site that served up a variant of the Blacole (aka “blackhole”) exploit capable of installing a very nasty data-stealing Trojan on a PC or Mac that’s running outdated versions of Java, Adobe Shockwave, Adobe Acrobat and Reader, and other third-party software.

The target sites are probably running outdated WordPress installations that were remotely compromised to serve up a collection of exploits aimed at unpatched systems.

Another wave of messages to this account appeared to be from LinkedIn (ZDNet’s Dancho Danchev also flagged this attack earlier in the week). Again, they were skillfully done. Even a cautious recipient could be convinced to click one of the target links.

This sample led to another compromised website serving up a similar collection of exploits from the Blacole family.

Update: Danchev has more details on the LinkedIn wave of attacks in this post at the Webroot Threat Blog:

The campaign is using real names of LinkedIn users in an attempt to increase the authenticity of the spamvertised campaign.

The cybercriminals behind the campaign are currently relying on thousands of compromised legitimate sites, in an attempt to trick Web reputation filters into thinking that the payload is not malicious. Combined with the ever-decreasing price for launching a spam campaign through a botnet, the cybercriminals behind the campaign will definitely break-even from their original investment, and achieve a positive ROI (return on investment).

Mac users aren't immune from this type of attack either. In recent weeks, security researchers I stay in touch with have observed an uptick in installations of the OSX/Flashback Trojan, which can be installed automatically via Java exploits or interactively, via social engineering.

The best protection available for this type of attack isn’t antivirus software; it’s a good spam filter and an effective update routine. Most of these messages were correctly flagged as spam by Microsoft Outlook, which moved them to the Junk E-mail folder and disabled all links. It also converted the HTML to plain text, making the fraudulent links obvious.

That combination of measures effectively kneecapped the potential exploit. To trigger the infection, the recipient would have to move the message to the inbox and then click on the booby-trapped link.

Even if a user could be convinced to click on the links, the exploits in question won't work on a system that is properly updated. The exploits used in the two attacks I saw were aimed at vulnerabilities that were found and patched in 2010. Sadly, the population of computer users who ignore third-party software updates is big enough for this type of attack to be successful.

Topics: Malware, Collaboration, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Phishing Trip

    I have received a number of these as well from LinkedIn, YouTube, and some Tagged Web site. I feel bad for legitimate attempts by Financial Services companies to contact you via e-mail these days, but not as bad as I do the victims that fall prey to these scams.
    • I am seeing some very intelligent phishing scams that will be hard to beat

      I recently got a "Facebook notification" that looked quite real, in that it was clearly aware of who I was, and purported to be a message from a friend.

      I would have fallen for it hook, line, and sinker if it wasn't for the fact that the friend in question passed away three years ago.

      Frightening though, that somehow these guys are now able to parse your social networking, and personalize their spamming and phishing so cleverly.
      • N ot on these sites

        This is why I stay away from Facebook, Twitter, Linkedin, etc.
      • social sites aren't all...

        I recently have received emails on my Mac appearing to come from AT&T (after getting a my first account with AT&T only 3 months ago) but a couple at work at work with our own company logo on a Windows PC (after being hired 3 months ago), that were fishing scams. My company has less than 1000 employees too so I was pretty surpassed it was used. The logos gave them away though - they looked as if they'd been photo copied 97 times, they just gave me a funny feeling anyway as the wording sounded good, but had a very subtle way of heightening your awareness. I wish I knew a good way to get back at these f%&#heads that would waste more of their time than mine.
    • Never reply to an email, always call your bank.

      Amex recently called me home to ask me if an attempt to buy airline tickets using my credit card was legitimate (it was not). I value Amex for their great service.
      The bottom line - if your bank feels that sending you a fraud alert email is enough, switch to a better bank.
  • I still don't understand.

    Are people really falling for this sort of scam? I'm just finding it hard to wrap my brain around anyone getting an email today, that asks me for an account/password update, and actually sending it to them thinking it's legitimate.
    • They are.

      That's why they're still around. Same for SPAM. Someone responds to those e-mails.
    • It doesn't appear to me (maybe old and nearly blind)

      that either of the above examples is requesting log in credentials. They are links to drive by exploits that target unpatched machines ... aren't they?
      • Uh, yes, that's the point of the post

        The title of the post: "New wave of phishing attacks serves malware to PCs and Macs"

        From the post itself: "Even more interesting is the destination. Historically, phishing attacks try to re-create a legitimate site, with the goal of convincing the victim to enter his or her username and password. Clicking this link led to a site that served up a variant of the Blacole (aka ???blackhole???) exploit capable of installing a very nasty data-stealing Trojan ..."
        Ed Bott
    • Unfortunately

      It is an effective tactic. Easy/cheap way to reach millions (maybe even billions) of people and even if a small handful fall for the scam it is a win for the scammers. This is why they choose popular services that many people use to maximize their scam. You will most likely never see a phishing scam for some local bank or small regional bank but you always see them for the national banks and big time services like eBay, paypal, and popular social networks and large companies.

      Despite the information on how to be on the lookout for these scams being readily available people find it too much of a hassle to take responsibility for their own security. In today's world it is easier to phish the information out and trick a user into installing a trojan or malware than try and break an operating system or piece of software by brute force. The operator of the piece of technology remains the weakest link in security.
    • That's not what's happening here

      They're not asking for account details, they're asking the recipient to click a link that points to a webpage that is serving up malware. However, if I ever get an email alert from my bank, I call them directly at the number on my card or account in question. I never click the links in any suspect emails without verifying that the links are legitimate.
    • This isn't an account/password scam

      This is a legitimate looking mail with a malicious link towards auto-installable malware. Once installed, your machine becomes the scammers puppet.
    • Unbelievably successful

      I had a friend this past week describe to me a scam phone call she's been receiving for nearly 7 (yes, seven!) years attempting to convince her she's won a Jamaican lottery and needs to pay a fee to accept it. I figured she could probably report the number to the FTC or similar to help bolster a shut down of the operation. Research found that the Jamaican government is cooperating with the US in shutting down reported scammers, but more incredible is the fact that in 2011, Jamaica figures that nearly $300M US was realized from these scams. $300 million! The FTC web site has a victim's quote on there who confessed to responding to repeated requests for money in a scam to the tune of nearly $500,000. I was stunned at the ignorance that exists that would allow someone to get burned to that level.
    • Did you read the article?

      @Godmocker - There's no mention of asking for a password. In the example screenshot above the links that do the damage are pretty innocuous looking.
  • Bingo!

    I have made sure to inform every member of my staff (and my family) that they should never click a link in an email. If they get an email that looks like it came from a bank or credit card, just use a bookmark or type in the address of the bank and go to the site directly.
  • +1

    +1, agreed.
  • If I followed that....

    ....I wouldn't be able to verify my email address with sites/forums I registered with :|
    • Yes, but you would be expecting those emails.

      Hopefully you remember which websites you recently registered.
    • Not true

      Most sites/forums that use an email verification have both a link and a verification number, you simply go to the site/forum and enter the verification number given in the mail. ;)
  • They're enough Windows fanboys out there that will fall for this

    10 to 1 enough.

    That's why Ed Bott is here! To protect you all!