The DigiNotar hacking and subsequent trust revoke by major browsers has led to spam being detected relating to the incident.
Research by Barracuda Labs said that consumer confusion over DigiNotar certificate forgeries has resulted in spam emails being pitched directly to business customers of banks to convince them that their SSL certificate has expired.
Security researchers Dave Michmerhuizen and Luis Chapetti said that while the spam is very standard in its appearance, the message is much more dangerous.
They said: “The spammers try to create a sense of urgency with the hope that you will click one of the links to see what happens; which in this case is a particularly bad idea because the second link in the message directs the browser to a server hosting an exploit kit.
“Once the browser visits that site a series of attacks begin which can result in the download of Trojan.Buzus. This nasty payload steals login credentials and opens a backdoor allowing remote control of the now-infected computer.”
Barracuda said that it is seeing more and more overtly malicious spam directing users to sites such as these ever since the Blackhole exploit kit became widely available earlier this year.
Carl Leonard, security research manager at Websense Security Labs, told SC Magazine that this was a low volume campaign of less than 100 messages. He said: “It took the user to a .scr file that delivered the exploits. But this shows that scammers are tuned into the hot topics.
“This is not a targeted attack in an advanced persistent threat style, but it looks like a phishing email but this is much more sinister as it delivers an exploit kit and not a standard phish.
“Sometimes we do see a test run on phishing messages, but as this happened four days ago, we may see more tomorrow or the sender may decide not to bother with it.”
He also said that according to Websense's statistics, the Blackhole exploit kit was currently one of the most popular kits in the wild. Previously Websense said that Blackhole is based on PHP and a MySQL backend and it usually targets Windows operating systems and applications installed on those systems.
It also allows a malicious payload file's name to be changed to make it undetectable by anti-virus and exploits are encrypted with custom algorithms.