September 03, 2012, 11:01 AM — Hackers are distributing rogue email notifications about changes in Microsoft's Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploit to infect their computers with malware.
"We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences," Russ McRee, security incident handler at the SANS Internet Storm Center, said Saturday in a blog post.
The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company's Services Agreement that will take effect Oct. 19.
However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit.
Blackhole is a tool used by cybercriminals to launch Web-based attacks that exploit vulnerabilities in browser plug-ins like Java, Adobe Reader or Flash Player, in order to install malware on the computers of users who visit compromised or malicious websites.
This type of attack is known as a drive-by download and is very effective because it requires no user interaction to achieve its goal.
Blackhole was recently updated to include a new exploit for Java 7 that appeared online last Monday. The links in the rogue Microsoft Services Agreement notifications point to Blackhole-infected websites make use of the new Java exploit to install a variant of the Zeus financial malware, McRee said.
Oracle released Java 7 Update 7 on Thursday to address the vulnerabilities targeted by this exploit.
The malicious Java applet used in this attack is detected by only eight of the 42 anitivirus engines available on the VirusTotal file scanning service. The Zeus variant has a similarly low detection rate.
The technique of creating malicious versions of legitimate email messages sent by trusted companies is very old. However, its continued use by cybercriminals suggests that it is still efficient.