Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit

by


Sticking to their well proven social engineering tactics consisting of systematic rotation of the abused brands, cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick end and corporate users into interacting with the malicious campaign.

Once the interaction takes place, users are exposed to the client-side exploits served by the Black Hole exploit kit, currently the market share leader within the cybercrime ecosystem.

More details:

Screenshot of the spamvertised email:

Upon clicking on the link, users are exposed to bogus “Page loading…” page:

Spamvertised URLs: hxxp://earbudsforrunning.com/welcpp.htmlhxxp://vitva-musicgroup.com/wp-content/uploads/fgallery/traninfo.htmlhxxp://imune.org.br/traninfo.html

Client-side exploit serving URL: hxxp://teloexpressions.org/main.php?page=9aca5bbc34d3ebd6

Client-side exploits served: CVE-2010-0188CVE-2010-1885

Detection rate for a sample redirection script: MD5: 2276947d2f3a7abc88e89089e65dce23

Upon successful client-side exploitation, the campaign drops MD5: 05e0958ef184a27377044655d7b23cb0 on the affected hosts, detected by 28 out of 41 antivirus scanners as Trojan.Generic.KDV.679870; Trojan-Dropper.Win32.Dapato.bnej.

Upon execution the sample phones back to a well known command and control server87.204.199.100/mx5/B/in/ which we’ve already seen in several previously profiled malware-serving campaigns.

As we’ve already predicted, the cybercriminal or gang of cybercriminals behind these persistent and massive spam campaigns will simply continue rotating the impersonated brands in an attempt to target millions of users across multiple Web properties.

PayPal has information on their website to help users identify legitimate emails.

Webroot SecureAnywere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


0 comments

Trackbacks

  1. בוטוקס הזעת יתר בידיים…

    … בוטוקס שפתיים – במספר מרכזים רפואיים באנגליה ובארה ב, משתמשים בבוטוקס משתנה מאדם לאדם, בהתאם למצבו, סוג העור ואזור הטיפול המבוקש. במהלך טיפול של 10 דקות ומבוצע ללא כאבים רבים וללא תופעות לוואי … Spamvertised 'PayPal has sent you a bank tr…

  2. [...] control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam [...]

  3. [...] as, for instance, the AT&T Billing Center impersonation one, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam [...]

  4. [...] Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit [...]