A Spam mail pretends to be from UPS ,carries an attachment that supposedly contains an invoice from Amazon.
Here’s what the email entitled “We can not charge your credit card” looks like:
Your credit card was blocked.
We tried to withdraw money from your credit card, but your bank decline it. In the attachment you will be found a invoice from your last order. Please pay this invoice as soon as possible.
Conditions of Use Privacy Notice 1996-2012, Amazon.com, Inc. or its affiliates
According to dynamoo blog, The attachment Amazon_Invoice.htm file that’s designed to download an obfuscated script from the kefrikin.ru domain.
After de-obfucating the malicious script, i found that it is BlackHole Exploit kit which has the following exploits:
- PDF Exploits(CVE-2008-2992,CVE-2007-5659,CVE-2009-0927,CVE-2010-0188)
- HCP protocol Exploit(CVE-2010-1885 )
- Java Exploit (CVE-2012-1723)
- Flash Exploit
After successful exploitation, it drops a Banking Trojan in the victim system .We advise all internauts to keep their antivirus solutions up to date and to avoid such emails.
