Automated Blackhole Trojan targeting FedEx customers

Security vendors have uncovered a new mass phishing campaign, tied to the Blackhole exploit kit, which is targeting FedEx customers.

Symantec and Webroot issued statements confirming they had detected an influx of malicious, malware-containing emails masquerading as FedEx receipts.

"Symantec Security Response is aware that fake FedEx emails have been circulating recently. The emails claim the user must print out a receipt by clicking on a link and then physically go to the nearest FedEx office to receive their parcel," said Shunichi Imano, a Symantec security researcher in a company blog.

"Obviously the parcel does not exist and those who click on the link will be greeted by a PostalReceipt.zip file containing a malicious PostalReceipt.exe executable file. Instead of receiving a parcel, which the user did not order in the first place, Trojan.Smoaler is delivered to the computer."

At the time of publishing FedEx had not responded to V3's request for comment, though the company has posted a statement online confirming it is aware of the scam.

"We have received reports of fraudulent emails claiming to come from FedEx regarding 'undeliverable' shipments and fake FedEx delivery notifications," warned FedEx.

"The emails are asking you to click on a link and print a receipt to take to your nearest FedEx location. FedEx does not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information."

Webroot has since issued a separate warning linking the campaign to the Blackhole exploit kit. It accused the same group of cyber criminals responsible for a similar campaign targeting PayPal customers as being behind it.

"We've already seen the same IP (222.238.109.66) and name servers used in the following previously profiled malicious campaigns, indicating that they've been launched by the same party," warned Webroot's Dancho Danch.

Symantec backed up Webroot's findings, confirming its research had come to the same conclusion.

"The Fedex spam works by tricking users into clicking an email link to a compromised domain. This then redirects users to malicious domains which host exploit kits such as Blackhole or CoolEK," Symantec security response senior manager, Orla Cox told V3.

"These then exploit known vulnerabilities which ultimately deliver the Smoaler payload. The technique used is very similar to other spam botnets such as Trojan.Pandex."

Blackhole is one of many exploit kits available on the cyber black market. It allows non-skilled criminals to mount automated cyber attacks.

The link to the Blackhole exploit is troubling. As well as basic phishing scams, the kit has been linked to more serious attacks, including an exploit that targeted a recently patched vulnerability in Oracle's Java platform.