Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware

by

Share this news now.

Cybercriminals are currently spamvertising yet another social-engineering driven malicious email campaign, this time impersonating U.S Airways.

Upon clicking on the malicious links found in the emails, end and corporate users are exposed to client-side exploits courtesy of the BlackHole web malware exploitation kit.

More details:

Spamvertised subjects: US Airways online check-in, US Airways reservation confirmation, Confirm your US airways online reservation, US Airways online check-in confirmation

Message: You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After that, all you have to do is print your boarding pass and go to the gate. Confirmation code: 250462 Check-in online: Online reservation details

Spamvertised malicious URL: hxxp://goldapnews.pl/zh6jPwn1/index.html

Once the users click on the malicious links found in the email, an obfuscated javascript code will attempt to load from multiple compromised web servers in an attempt to redirect the users to the client-side exploits serving URL courtesy of the BlackHole web malware exploitation kit.

Go through related posts:

Compromised URLs, part of the campaign (the affected web sites are currently in a process of cleaning up their compromised domains, and therefore they are currently serving a HTTP/1.1 404 Not Found error message:

hxxp://alasinmedia.pp.fi/8qeXM1Kx/js.js
hxxp://boxpluss.com/00o6FfJc/js.js
hxxp://raja-sms.com/roLcnvNu/js.js

The campaign is attempting to exploit end and corporate users using the following vulnerabilities - Libtiff integer overflow in Adobe Reader and Acrobat (also known as CVE-2010-0188) and Help Center URL Validation Vulnerability (also known as CVE-2010-1885).

Client-side exploitation directory structure for the campaign:

hxxp://goldapnews.pl/zh6jPwn1/index.html - compromised legitimate web site
hxxp://66.151.244.191/showthread.php?t=73a07bcb51f4be71 - compromised game server
hxxp://66.151.244.191/data/ap2.php?f=4203d - compromised game server

IP Information for 66.151.244.191:

Resolves to v-66-151-244-191.unman-vds.internap-dallas.nfoservers.com
Hosted in the: United States
AS: AS12179, INTERNAP-2BLK Internap Network Services

According to independent sources, 66.151.244.191 was previously used as a game server, indicating a possible compromise by the cybercriminals behind this ongoing campaign.

The campaign ultimately drops the following malicious executable – MD5: 340f5884390ddcc42837078d63b6f293

Based on the campaign’s structure, it’s launched by the same gang of cybercriminals that recently launched the following campaigns “Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware” ; “Spamvertised LinkedIn notifications serving client-side exploits and malware“.

Webroot expects the gang will continue to diversifying the market segment of the brand-jacked companies, and to continue relying on the fact, that end and corporate users continue using the Web, while relying on outdated versions of their third-party software, and browser plugins.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] could easily request the design of spam templates impersonating Google, Facebook, USPS, LinkedIn, U.S Airways, or Verizon [...]

  2. [...] Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware [...]

  3. [...] last time we intercepted the same HTML template being used in the wild, was in April 2012. Back then, we found an identical campaign structure [...]

  4. [...] and bogus E-ticket verifications were a popular social engineering theme for cybercriminals. On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on [...]