This is the biggest threat on the internet at the moment and infection rates are still rising.

The Blackhole exploit kit is currently the most prevalent web threat, where 28% of all web threats detected by Sophos and 91% by AVG are due to this exploit kit.

[1] Its purpose is to deliver a malicious payload to a victim’s computer.
[2] The creators of the kit are suspected to be infamous Russian hackers: “HodLuM” and “Paunch”.

Basic summary of how Blackhole works

  • The customer licenses the Blackhole exploit kit from the authors and specifies various options to customize the kit.
  • A potential victim loads a compromised web page or opens a malicious link in a spammed email.
  • The compromised web page or malicious link in the spammed email sends the user to a Blackhole exploit kit server’s landing page.
  • This landing page contains obfuscated JavaScript that determines what is on the victim’s computers and loads all exploits to which this computer is vulnerable and sometimes a Java applet tag that loads a Java Trojan horse.
  • If there is an exploit that is usable, the exploit loads and executes a payload on the victim’s computer and informs the Blackhole exploit kit server which exploit was used to load the payload.

Blackhole Email

Spam email example claiming to be a transaction report
Spam email example claiming to be from a social networking site

The most frequently observed subject lines in these attacks were:

[REMOVED] Urgent Notification
[REMOVED] Funding Notification
[REMOVED] Complaint activity report
Corporate [REMOVED] message – [REMOVED] pages
New invitation
Verify your account
Your Order
List of all Employer contributions scheduled on [REMOVED]