Tag Archives: blackhole exploit

Express LinkedIn Mail: spread Blackhole Exploit Kit URLs

Leave a reply

We have received few emails that looked like to be sent from LinkedIn:

Email

But after checking email header details it was clearly a spam:

Return-Path: trtro@www.trt.ro
Received: from vps136.whmpanels.com (unknown [89.42.219.181])
Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com
Date: Fri, 30 Mar 2012 21:37:47 +0100
From: "Support" trtro@www.trt.ro
Subject: Express LinkedIn Mail

The A HREF links redirect to 3 different malicious URLs:

hxxp:// groupehydrogaz .com/20sZhJqa/index.html
hxxp:// dealerpos .com/uFj7A93z/index.html
hxxp:// hobbyconcept666.yellis .net/20sZhJqa/index.html

URLVoid reports:

http://www.urlvoid.com/scan/groupehydrogaz.com/
http://www.urlvoid.com/scan/dealerpos.com/
http://www.urlvoid.com/scan/hobbyconcept666.yellis.net/

The page content dumped from one of these malicious URLs looks like:

Dumped Content

That content looks like the spread-style of Blackhole Exploit Kit.

Other malicious URLs are:

hxxp:// ftp.planitur .com.br/dyEmcL4N/js.js
hxxp:// quiztown .org/U2iBLpvu/js.js
hxxp:// wap .tl/8M6kMfpV/js.js
hxxp:// laspeziacaritas .it/1M4VoeVe/js.js

URLVoid reports:

http://www.urlvoid.com/scan/ftp.planitur.com.br/
http://www.urlvoid.com/scan/quiztown.org/
http://www.urlvoid.com/scan/wap.tl/
http://www.urlvoid.com/scan/laspeziacaritas.it/

Pay always attention when opening known and unknown emails:

1) Always analyze email headers to see who sent the email
2) Scan links with our service http://www.urlvoid.com/
3) Do not download unknown files
4) Avoid to open emails that have subject related to pharmaceutical products
5) Avoid to open emails that have subject related to sexual content
6) When emails are from your Bank, always call your Bank before open the email