Blue Coat Labs

Labs Blog

A Fresh Example of a Blackhole Spam

A Fresh Example of a Blackhole Spam

Chris Larsen

My spam honeypots yesterday yielded a nice example of a spam attack being used to lure people to servers hosting the infamous Blackhole exploit kit, which we've blogged about several times in the last six months or so.

The spam arrived the evening before. Here's how it looked:


screenshot of malicious spam


Clicking on one of the links took me to a hacked site, with the following message:

screenshot of initial hacked-site relay


This, of course, is simple camouflage, to distract me while my browser is given further instructions. Under the hood, the HTML looks like this:

screenshot of inner HTML for the relay


I retrieved the first of the js.js files, which is extremely simple, just one line of script:

the one-line relay


This IP hosts the Blackhole kit, and had already been flagged as a malware source in our database by one of our analysts when I checked, along with a sibling site that I found via following a different link. (Good to know that the team is on task!)