Blackhole Exploit Kit Spam Campaigns Now Using Shortened URLs

 Analysis by: Chloe Ordonia

 Recently, we've been receiving samples of spam campaigns leveraging the notorious Blackhole Exploit Kit. These spammed messages (which spoof official notifications from organizations such as Facebook, eBay and VISA), while harmless and sport no malicious attachments, do insist that readers click upon their links. These links invariably lead to a malicious site hosting the exploit, and thus system infection. This kind of behavior is noted as typical of attacks that use the Blackhole Exploit Kit.

What's new here, though, and what users should be careful about is that the malicious links have been deliberately obfuscated by way of URL shorteners. URL shorter services, such as bit.ly, shorten long URLs in order to make them easier to use in messages that have a limited character capacity. With their widespread use in social networking and instant messaging, it would be easy for a user to automatically trust a shortened link and click on it, despite the website it links to is in fact malicious. Such is the case with this series of spammed mails.

Users are therefore cautioned with suspicious mails that sport shortened URLs. Do not click upon these links - rather, simply delete the mail they came in on entirely, or verify with the organization before performing any actions.
 SPAM BLOCKING DATE / TIME: July 30, 2013 GMT-8
 TMASE INFO
  • ENGINE:7.0
  • PATTERN:0048