Cybercriminals are currently mass mailing millions of emails impersonating eBay and PayPal in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. Upon clicking on any of them, user are exposed to the client-side exploits served by the Black Hole exploit kit.
Screenshot of the spamvertised PayPal themed email:
Upon clicking on the link, users are exposed to the following bogus “Page loading…” page:
Spamvertised URLs: hxxp://deafstudiestrust.org.uk/avail.html; hxxp://tomstexascountycourthouses.com/wp-content/uploads/fgallery/avail.html
Client-side exploits serving URL: hxxp://toeplunge.org/main.php?page=298e0c1b89821c16
The same client-side exploits serving URL has been used in another recently profiled spamvertised campaign, this time impersonating AICPA.
Upon successful client-side exploitation, the campaign drops MD5: 96f7c9d231bc5835e4a7c07bc94c5b4a on the affected hosts, currently detected by 2 out of 41 antivirus scanners as UDS:DangerousObject.Multi.Generic; WS.Reputation.1
Once executed, the sample will phone back to hxxp://188.8.131.52:8080/mx5/B/in. We’ve also seen the same C&C used in yet another previously profiled spamvertised campaign, this time impersonating Craigslist.
Based on these observations, we can easily conclude that a single cybercriminal or a gang of cybercriminals is systematically introducing undetected malicious executables and rotating the client-side exploits serving URLs, next to impersonating popular brands in an attempt to socially engineer users into interacting with these malicious emails.
This is the second PayPal/eBay themed malicious campaign that we’ve intercepted and profiled in recent months. We predict that due to the obvious high click-through rates thanks to the systematic rotation of the malicious domains and impersonated brands, we’ll see more campaigns abusing their trusted Web reputation.
PayPal has information on their website to help users identify legitimate emails.
Webroot SecureAnywere users are proactively protected from this threat.