Red Sox Baseball spam leads to BlackHole Exploit Kit

Cybercriminals are spreading a fake Red Sox ticket purchase emails to redirect victims and urge them installing a malware. Email subject is “Thank You for your order”

Date:      Thu, 22 Aug 2013 13:02:19 -0400 [13:02:19 EDT]
From:      ticketoffice@inbound.redsox.com
Subject:      Thank You for your order. ( RSXV – 4735334 – 0959187 )

Thank you for your recent ticket purchase. We truly appreciate your support and commitment to Red Sox Baseball. If you have any questions regarding your purchase, please contact our Ticket Services department by calling (toll free) 877-REDSOX9.

Note that you will receive a separate email within the next two business days which will include the vouchers you will need for both parking at the Prudential Center and your Duck Boat ride to the ballpark, included in each End of Summer Family Pack purchase.

Please remember that all sales are final-there are no refunds or exchanges issued on any tickets. Also note that all game times are subject to change. Be sure to visit redsox.com for the latest Red Sox news and any game time updates.

Thanks again! We look forward to seeing you at the ballpark this season.

Boston Red Sox Ticketing Department

redsoxScreenshot for the Fake email (click to enlarge)

According to Dynamoo’s Blog  by clicking on the link victims are redirected to www.redsox.com.tickets-service.lindoliveryct.net/news/truck-black.php which is a sub domain for lindoliveryct.net rather than redsox.com.

The domain is hosting BlackHole v2.0 exploit kit which is a Trojan that allows attacker to run payloads on victim computer and make the infected machine part from the botnet for sending more spams attacking other machine on the network or use the computer as a proxy.

To protect yourself make sure that you are running the security software with latest signature update, keep your OS and application updated and never open links on emails or attachments from suspicious sources.

Share