Fake Payroll Confirmation Email Leads to Black Hole Exploit Kit

Criminal hackers launched an attack campaign earlier this week in which they sent a slew of emails purporting to come from the financial software developer Intuit. The emails contained links that led to sites hosting the Blackhole exploit kit in an apparent attempt to infect the machines of corporate users.

In a Webroot analysis, Dancho Danchev explains that the two separate campaigns imitated Intuit Payroll’s direct deposit system in hopes that their recipients would follow malicious links included in the emails and thus infect themselves with the latest version of the Black Hole Exploit kit.

The exploit is serving an Adobe vulnerability from two years ago, CVE-2010-0188. A successful exploitation will load ‘MD5: 5723f92abf257101be20100e5de1cf6f’ and ‘MD5: 06c6544f554ea892e86b6c2cb6a1700c’ to its host.

The various malicious domains used in the campaign responded to the same set of IP addresses. You can find a list of the malicious URLs in Danchev’s write-up.

The first campaign’s emails looked like this and second campaign looked like this. Users that followed the malicious link were presented with a bogus loading screen that claimed they would not be able to access their QuickBooks account without an update to the Intuit Security Tool.