By Dave Michmerhuizen & Luis Chapetti – Security Researchers
Recently Dutch certificate authority DigiNotar suffered a compromise that resulted in the issuance of over 200 forged certificates for a variety of well known web domains including Google, Yahoo and Mozilla.
The certificates have been revoked and certificate users have been quick to update their products. Spammers and malware distributors have been just as quick to take advantage of the confusing stories about SSL certificates that have been appearing in the mainstream media.
Consider this spam that we recently started seeing at Barracuda Labs. The message, pitched directly to business customers of the Royal Bank of Canada tries to convince them that their SSL certificate has expired.
While it may look like garden variety phishing spam, this message is much more dangerous. The spammers try to create a sense of urgency with the hope that you will click one of the links to see what happens; which, in this case, is a particularly bad idea because the second link in the message directs the browser to a server hosting an exploit kit. Once the browser visits that site a series of attacks begin which can result in the download of Trojan.Buzus. This nasty payload steals login credentials and opens a backdoor allowing remote control of the now-infected computer.
Ever since the blackhole exploit kit became widely available earlier this year, the Barracuda Networks Real Time Protection System has been seeing more and more overtly malicious spam directing users to sites such as these which attempt to force malware onto users computers. All it takes is one initial click on a link to set off a chain of exploits which require no further interaction to infect a computer. As always, we recommend you treat spam messages with great care.