The news about the BlackHole Exploit kit v2.0 release spreads like a wildfire in the Internet. It seems like Cyber Criminals started to use the new version for infecting users.
A security researcher have come across a spam mail purporting to be an ADP invoice reminder which leads to BlackHole Exploit kit v2.0 landing page.
The Spam mail intercepted by Researcher:
Subject: ADP Invoice Reminder
Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .
To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.
Total amount due by September 13, 2012
$17202.04
If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.
Questions about your bill?
Contact David Nieto by Secure Mail.
Note: This is an automated email. Please do not reply.
After clicking the link provided in the mail, recipient will be redirected to the malicious page through multiple sites. At the end of redirection, the victim will be ended in this page "46.249.*.122/links/systems-links_warns.php".
It seems like the landing page of BlackHole Exploit version 2.0. In previous version of BH, you will see "main.php?page=[random_number]" at the end of url. But the latest version use combination of meaningful words.
Once again , i like to remind the Dynamic URL feature of the BH 2.0. The generated link targets only one users which is valid for a few seconds. Yes, it is true, the above link generates 404 error at the time of researcher visit.
At the time of writing this article, the above IP is unavailable.
Today , i have analyzed three malicious IP address which uses the latest version of BlackHole Exploit. only one IP displayed the exploits. After few seconds, that IP also start to generate 404 error page.