May 11, 2012Dancho Danchev By Dancho Danchev

Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware

End and corporate users (and especially Pizza eaters), beware!

Cybercriminals are currently spamvertising hundreds of thousands of emails, impersonating FLORENTINO`s Pizzeria, and enticing  users into clicking on a client-side exploits and malware serving link in order to cancel a $169.90 order that they never really made.

More details:

Once the user clicks on the link, they will be redirected to a compromised site serving client-side exploits and ultimately dropping multiple malicious binaries on their hosts upon a successful infection.

Malicious URL: hxxp://

Client-side exploits used: CVE-2010-0188 and CVE-2012-0507

The malicious URL contains a tiny iFrame pointing to the fast-fluxed domain where the client-side exploitation takes place.

The redirection chain is as  follows: -> -> -> ->

The Russian domains are fast-fluxed by the cybercriminals in an attempt to make it harder for security researchers and vendors to take down their campaign. We’ve seen a similar fast-flux technique applied in the following  campaign – “Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware“.

Upon successful exploitation the campaign drops the following MD5 on the infected hosts: MD5: 03d874abaaca02b090372eee2d090dc0 detected as Trojan.Generic.KDV.602078; Troj/Agent-VSS.

What happens once the dropped MD5 executes? Basically, it phones back to the following domains/URLs:


It also downloads more malicious binaries from the following compromised URLs:


All the binaries are identical, and have the following MD5, MD5: 97d8f1fa11c86befa069845ffaf818db currently detected as TrojWare.Win32.Kryptik.ADXK by 7 out of 42 antivirus scanners.

Webroot SecureAnywhere customers are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

4 Responses to Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware

  1. Beware.. Pizza Lovers!!!..

    I have shared this in Facebook Internet Security Group so that every security geek should be aware of this…

    Also I love your articles on “Blackhat SEO” looking for some more from you Webroot Team..

  2. Pingback: Spamvertised ‘Your order confirmation’ emails serving client-side exploits and malware « Webroot Threat Blog

  3. Pingback: Webroot’s Threat Blog Most Popular Posts for 2012 « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Leave a Reply

Your email address will not be published. Required fields are marked *