By Dancho Danchev
Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
More details:
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign: hxxp://www.kulturszalon.hu/cmplinfo.html; hxxp://plastonline.expopage.net/cmplinfo.html; hxxp://holmgard.ru/bbbcmpln.html; hxxp://www.resgroup.com/cmplinfo.html; hxxp://fatherandy.com/cmplinfo.html; hxxp://luxense.eu/bbbcmpln.html; hxxp://sauter-vvp.de/cmplinfo.html;?hxxp://lrhmedia.com/bbbcmpln.html; hxxp://stsmc.org/cmplinfo.html; hxxp://kulturszalon.hu/cmplinfo.html; hxxp://fajnybazar.cz/cmplinfo.html; hxxp://caselle-vpn.net/cmplinfo.html; hxxp://intranet.sextaconcepcion.cl/cmplinfo.html; hxxp://www.stsmc.org/cmplinfo.html; hxxp://philipsambisound.info/cmplinfo.html; hxxp://www.resgroup.com/cmplinfo.html; hxxp://www.j-channel.ch/cmplinfo.html; hxxp://eaglemailboxsales.com/cmplinfo.html; hxxp://www.teratec.co.il/cmplinfo.html; hxxp://www.azmp.ru/cmplinfo.html; hxxp://znamenie.com/cmplinfo.html; hxxp://star-crep.it/bbbcmpln.html;?hxxp://mignonnettes.it/bbbcmpln.html
Sample client-side exploits serving URL: hxxp://samplersmagnifyingglass.net/detects/confirming_absence_listing.php ? 183.81.133.121, AS38442 ? Email: jap_gazo8262@fansonlymail.com
Although I wasn?t able to obtain the actual malicious payload from this campaign, it?s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):
2012-10-16 00:24:08 ? hxxp://navisiteseparation.net/detects/processing-details_requested.php
2012-10-12 11:19:37 ? hxxp://editdvsyourself.net/detects/beeweek_status-check.php
Responding to the same IP (183.81.133.121) are also the following malicious domains:
stafffire.net
hotsecrete.net?- Email: counseling1@yahoo.com
the-mesgate.net?- also responds to 208.91.197.54 ? Email: admin@newvcorp.com
Name servers used in the campaign:
Name Server:?NS1.TOPPAUDIO.COM?- 91.216.93.61 ? Email: windowclouse@hotmail.com
Name Server:?NS2.TOPPAUDIO.COM?- 29.217.45.138 ? Email: windowclouse@hotmail.com
We?ll continue monitoring the campaigns launched by this group, and post updates as soon as new campaigns are launched.
Webroot SecureAnywhere?users are proactively protected from these threats.
You can find more about Dancho Danchev at his?LinkedIn Profile. You can also?follow him on ?Twitter.
Like this:
Be the first to like this.
This entry was written by ddanchev and posted on November 15, 2012 at 12:00 am and filed under Botnet activity, Downloaders, Exploits, mal-effects, malware, social engineering, spam, Threat Research, Trojans with tags BBB, Better Business Bureau, Black Hole Exploit Kit, cybercrime, Exploits, Malicious Software, malware, security, social engineering, spam, Spam Campaign, Spamvertised, vulnerabilities. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.heart attack grill madden 13 cover dalai lama tamera mowry slow jam the news madden cover obama slow jams the news
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.