Blackhole malware attack poses as rejected wire transfer email

Wire money neon sign. Image from ShutterstockSophosLabs is intercepting a wave of malicious emails that have been spammed out around the world, luring unsuspecting internet users into clicking on a malicious attachment.

The emails all claim to be related to a rejected wire transfer. Although most savvy computer users would realise that unsolicited email is unlikely to be legitimate, there are some who might be vulnerable or merely curious enough to click on the HTML attachment, not realising that it can cause problems for their PC.

Here’s a typical example of an email we have intercepted.

Malicious wire transfer email

Sign up to our free newsletter.
Security news, advice, and tips.

The subject lines used in the malicious spam campaign can vary, but are all related to a “Wire Transfer Confirmation” (some give a reference number in an attempt to make the message appear more official).

Here is a small selection of the subject lines we saw at SophosLabs during the space of just one minute.

Malicious wire transfer email subject lines

Attached to each email is a file called Wire_AMBA01-Rejected.htm, which Sophos products detect as Troj/JSAgent-CK.

To the casual observer, the file may seem harmless enough – displaying a message saying

"Please wait a moment. You will be forwarded...".

Segment of code

But it’s the next section of the HTML code which is interesting. A script deciphers a sequence of numbers into code which the computer then executes.

SophosLabs researchers have tools which help them deobfuscate code like this, to find out what it’s really planning to do..

Deobfuscated code

If your computer isn’t properly protected, you will be redirected to a hacked Russian website which is playing host to the Blackhole exploit kit – within seconds your computer will most likely be infected by malware.

A few days ago we saw an attack in a similar vein, with a fake Facebook photo tag notification using the Blackhole kit to exploit computers.

As ever, keep your security up-to-date. That not only means running an up-to-date anti-virus, but also ensuring that you have the latest operating system and application patches in place.

Finally, remember to have a spoonful of common sense each morning – and consign unwanted, unsolicited emails to the trash can rather than clicking on any links or attachments that they may contain.

Wire money neon sign image, courtesy of Shutterstock.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.