At 3 AM, on February 6, 2012, Symantec Security Response observed spam carrying malicious links which target the upcoming tax season. The spam volume spiked between 6 AM and 1 PM, identifying over 200 unique URLs which lead to a Blackhole toolkit.
A Blackhole toolkit compromises the machine by targeting various vulnerabilities on the victim's machine. Symantec protects our customers with multiple-layer protection of antispam, antivirus, and IPS signatures. The payload downloaded from the malicious website is detected as Trojan.Zbot, for instance, and IPS detects this web attack as “Web Attack: Blackhole Toolkit Website 14” and “Web Attack: Blackhole Exploit Kit Website 11”.
The spam asks the user to click on a link to verify their account information. Below is an example of one such spam:
Examples of links found in messages:
The domains used in the spam email include recently registered domains and hijacked domains which employed weak security. Symantec advises our readers to be cautious ahead of tax season and follow general security guidelines to protect against malicious attacks.