May 22, 2012Dancho Danchev By Dancho Danchev

Spamvertised bogus online casino themed emails serving adware

Cybercriminals are currently spamvertising online casino themed emails, which ultimately redirect users to a bogus casino site offering an executable download. Upon deeper examination, it appears that the download is actually adware.

More details:

Spamvertised URL, including affiliate ID: hxxp:// – currently responding to;

Detection rate for GrandParker.exe: MD5: 7bec7eb7f891c1c894536c10fe53c34d, Detected by 6 out of 42 antivirus scanners as GAME/Casino.Gen2; W32/CasOnline; W32/Casino.HNY

Upon execution it  phones back to the following URL in order to download  the setup file:

Detection rate for Grand_Parket_Casino.msi: MD5: e5fa6bc94ee9a5becfd6d5d1cb8f1147, Detected by 1 out of 41 antivirus scanners as PUA.Packed.PECompact-1

The cybercriminals behind the spamvertised campaign are earning revenue through the Hastings International B.V. distributor of RealTime Gaming software.

Webroot SecureAnywhere customers are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button


  1. […] Recently, Webroot decided to sample malicious activity within some of the most popular Eastern European torrent trackers, based in Bulgaria, Ukraine, and Romania for starters. The results? Countless backdoored key generators and cracks for popular games and software, and most interestingly, monetization of the huge traffic by delivering pop-ups promoting the ubiquitous W32/Casonline adware, which in case you remember was recently spamvertised to millions of end and corporate users. […]

  2. […] campaigns attempting to trick users into visiting a bogus web site, and downloading a copy of the potentially unwanted application (PUA) most commonly known […]