Cybercriminals are currently mass mailing millions of emails impersonating eBay and PayPal in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. Upon clicking on any of them, user are exposed to the client-side exploits served by the Black Hole exploit kit.

More details:

Screenshot of the spamvertised PayPal themed email:

Upon clicking on the link, users are exposed to the following bogus “Page loading…” page:

Spamvertised URLs: hxxp://deafstudiestrust.org.uk/avail.htmlhxxp://tomstexascountycourthouses.com/wp-content/uploads/fgallery/avail.html

Client-side exploits serving URL: hxxp://toeplunge.org/main.php?page=298e0c1b89821c16

The same client-side exploits serving URL has been used in another recently profiled spamvertised  campaign, this time impersonating AICPA.

Client-side exploits served: CVE-2010-0188CVE-2010-1885

Upon successful client-side exploitation, the campaign drops MD5: 96f7c9d231bc5835e4a7c07bc94c5b4a on the affected hosts, currently detected by 2 out of 41 antivirus scanners as UDS:DangerousObject.Multi.Generic; WS.Reputation.1

Once executed, the sample will phone back to hxxp://87.204.199.100:8080/mx5/B/in. We’ve also seen the same C&C used in yet another previously profiled spamvertised campaign, this time impersonating Craigslist.

Based on these observations, we can easily conclude that a single cybercriminal or a gang of cybercriminals is systematically introducing undetected malicious executables and rotating the client-side exploits serving URLs, next to impersonating popular brands in an attempt to socially engineer users into interacting with these malicious emails.

This is the second PayPal/eBay themed malicious campaign that we’ve intercepted and profiled in recent months. We predict that due to the obvious high click-through rates thanks to the systematic rotation of the malicious domains and impersonated brands, we’ll see more campaigns abusing their trusted Web reputation.

PayPal has information on their website to help users identify legitimate emails.

Webroot SecureAnywere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This