March 29, 2012 By Dancho Danchev

Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware

Cybercriminals newest spamvertised malware campaign is brand-jacking Verizon Wireless in an attempt to trick end users into clicking on the malicious links embedded in the email.

More details:

The campaign is relying on thousands of compromised legitimate web sites, where a tiny javascript file (.js) is hosted in an attempt to trick Web reputation filters into thinking the content is served from a legitimate web sites. The campaign is ultimately redirecting to a BlackHole web malware exploitation kit at hxxp://slickcurve.com/showthread.php?t=d7ad916d1c0396ff which drops the following MD5: 99FAB94FD824737393F5184685E8EDF2.

It’s being launched by the same cybercriminals that launched last week’s “Malicious USPS-themed emails circulating in the wild” campaign, as both campaigns share the same directory/exploit-serving structure.

The MD5 is using the following dropzone for sending back the intercepted accounting data from the infected PCs – hxxp://176.28.18.135:8080/pony/gate.php Now where have we seen this IP before? In last week’s “Spamvertised LinkedIn notifications serving client-side exploits and malware” malware campaign where 176.28.18.135 was serving  client-side exploits through the BlackHole web malware exploitation kit.

The MD5 also attempts to contact the following dropzones is 176.28.18.135 is unavailable:

  • hxxp://85.214.243.87:8080/pony/gate.php 
  • hxxp://88.85.99.44:8080/pony/gate.php

It also downloads a copy of the ZeuS crimeware, using the following MD5: 86A548CADA5636B4A8ED7DE5F654FF96

Webroot security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this ongoing threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
0 comments

Trackbacks

  1. […] launched by the same gang of cybercriminals that recently launched the following campaigns “Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware” ; “Spamvertised LinkedIn notifications serving client-side exploits and […]

  2. […] How does the service differentiate itself from the rest of the propositions within the cybercrime ecosystem? By emphasizing on key core competencies such as managed QA (quality assurance) ensuring that the message about the get spammed will successfully bypass anti-spam  filters. Next to this option, the service also offers the availability of graphic designers capable of producing custom layouts on request. Not surprisingly, thanks to the fact that the service is build around the concept of anonymity, a customer could easily request the design of spam templates impersonating Google, Facebook, USPS, LinkedIn, U.S Airways, or Verizon Wireless. […]

  3. […] Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware […]

  4. […] then, we found an identical campaign structure between the US Airways themed campaign and the “Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware” ; “Spamvertised LinkedIn notifications serving client-side exploits and malware“ campaigns, […]

  5. […] last time we intercepted a Verizon Wireless themed malicious campaign was in March 2012. We expect to see more campaigns impersonating this company, thanks to the […]

  6. […] 2012, we intercepted two malicious campaigns impersonating Verizon Wireless in an attempt to trick its customers into clicking on links pointing […]

  7. […] customers across the globe in an attempt to trick them into interacting with the fake emails. Throughout 2012, we intercepted two campaigns pretending to come from the company, followed by another campaign […]

true