IRS themed spam campaign leads to Black Hole exploit kit

by

Share this news now.

Recently, cybercriminals launched yet another massive spam campaign, this time impersonating the Internal Revenue Service (IRS) in an attempt to trick tax payers into clicking on a link pointing to a bogus Microsoft Word Document. Once the user clicks on it, they are redirected to a Black Hole exploit kit landing URL, where they’re exposed to the client-side exploits served by the kit.

More details:

Screenshot of the spamvertised IRS themed email:

Once the user clicks on the link pointing to a Black Hole landing URL, he’s exposed to the following bogus “Page loading…” page:

Spamvertised URLs: hxxp://tiraccontolamusica.it/reves.htmlhxxp://marcina.pl//reves.htmlhxxp://juegosinternet.org/reves.htmlhxxp://breastenlargementratings.com/reves.html

Client-side exploits serving URLhxxp://retweetadministrator.org/main.php?page=8b45f871830c6e5a

Client-side exploits served: CVE-2010-0188CVE-2010-1885

Detection rate for a sample redirection script: MD5: 1ab7543c3c7857eec5014b3de5da362e detected by 3 out of 41 antivirus scanners as JS/Iframe.W!tr; Trojan-Downloader.JS.Iframe.czj.

Upon successful client-side exploitation, the campaign drops MD5: 6d7b7d2409626f2c8c166373e5ef76a5 on the affected hosts, currently detected by 30 out of 41 antivirus scanners as Trojan-Ransom.Win32.Gimemo.akxc

Also, as you can see in the first screenshot, the cybercriminals behind the campaign didn’t bother to use the services of a “cultural diversity on demand” underground market proposition offering the ability to localize a message or a web site to the native language of the prospective victimhence they failed to properly formulate their sentence, thereby raising suspicion in the eyes of the prospective victim.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
IRS themed spam campaign leads to Black Hole exploit kit by

Trackbacks

  1. בוטוקס ויקיפדיה…

    … בוטוקס שפתיים – מרבית הדוגמאות הן לכיוון בוטוקס ומיגרנה, משמע, מרבית הטיפולים מקושרים למין הנשי. במאמרים הקרובים אני הולך להפריח לכם כמה מיתוסים נפוצים לגבי הבוטוקס. לפני הזרקת הבוטוקס משחררת ב… IRS themed spam campaign leads to Black Hole exploi…

  2. [...] the IRS (Internal Revenue Service) themed malicious campaign profiled at Webroot’s Threat Blog earlier this [...]