August 21, 2012Dancho Danchev By Dancho Danchev

Cybercriminals spamvertise bogus greeting cards, serve exploits and malware

Think you’ve received an online greeting card from Think twice!

Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit.

What’s so special about this campaign? Can we connect it to previously spamvertised campaigns profiled at Webroot’s Threat Blog? Let’s find out.

More details:

Screenshot of the spamvertised email:

Upon clicking on any of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:

Obfuscated java script redirection:

Spamvertised malicious URLs: hxxp://; hxxp://; hxxp://; hxxp://; hxxp://; hxxp://

Client-side exploits serving URLs: hxxp:// –; hxxp://; hxxp://

Client-side exploits served: CVE-2010-1885

Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 – detected by 25 out of 42 antivirus scanners as Trojan.Win32.Yakes.ansm; Mal/Katusha-I.

Upon successful execution, the sample phones back to

More MD5s are known to have phoned back to the same command and control server, such as for instance:

MD5: b11421acddbfc94544482d1846ba6d97
MD5: 4e0053fe00b65627c07dc8c85c85a351
MD5: 90d1b3367e97f384af029b0f1674f7ff
MD5: d2be252de958b7435279c6e8f270de4e is actually a name server offering DNS resolving services to related malicious and command and control servers part of the campaign such as:

Associated malicious name servers part of the campaign’s infrastructure: – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – => => => => => – – – – – – – – – – – – – – – – –

Related client-side exploits and malware serving URLs spamvertised in the same campaign, also drop MD5: cd0aac6df71fa28d4564406a24f7e1a2 – detected by 28 out of 42 antivirus scanners as Gen:Variant.Zusy.15382; P2P-Worm.Win32.Palevo.fbvx

The second sample phones back to not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns, such as, for instance, the AT&T Billing Center impersonation one, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

8 Responses to Cybercriminals spamvertise bogus greeting cards, serve exploits and malware

  1. This is a fraudulent email sent by an imposter. Do not click on the link or download the attachment. does not send any attachment or .exe file link in the email. There is no spurious software/ virus that are associated with any email that you receive from All ecards that are sent using the system are stored on the servers. You do not have to install any software to send/ receive and view an ecard from our website.

    Please click on the following FAQ links to know the difference between 1egitimate ecard emails from and fraudulent emails sent by any imposter:

    Note: Please send us the received email as an attachment with full email header part, enabling us to investigate and to take necessary action against the imposter.

    Please click on the following link to know how to get an email header. is trying hard to stop these spamming activities by complaining to the respective authorities to block the spam originated IPs.

  2. Pingback: Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit « Webroot Threat Blog

  3. Pingback: Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit « Webroot Threat Blog

  4. Pingback: Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit « Webroot Threat Blog

  5. Pingback: Cybercriminals resume spamvertising bogus greeeting cards, serve exploits and malware « Webroot Threat Blog

  6. Pingback: Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black Hole Exploit kit « Webroot Threat Blog

  7. Pingback: It’s The Most Dangerous Time of the Year! | Malwarebytes Unpacked

  8. THANK YOU FOR WATCHING OUR BACKS~~~~and also for daily watching my computers!!!!!! you are the nest!!!!


Leave a Reply

Your email address will not be published. Required fields are marked *