Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails

by

Share this news now.

Over the past 24 hours, cybercriminals have spamvertised millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.

Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit.

More details:

Sample screenshot of the spamvertised email:

Spamvertised malicious iFrame domains: hxxp://kolmykiaonline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c; hxxp://anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c

Client-side exploits served: CVE-2010-1885; CVE-2010-0188

Upon successful client-side exploitation the campaign drops MD5: aea6d9be93a6f64357b96db96e9c7e10 – detected by 20 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.bpqu; Worm:Win32/Cridex.E, and MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Trojan.Win32.Buzus.lxwt; Worm:Win32/Cridex.E

Name servers part of the campaign’s infrastructure:
kolmykiaonline.ru – 50.56.92.47; 203.80.16.81
ns1.kolmykiaonline.ru – 85.143.166.186
ns2.kolmykiaonline.ru – 132.248.49.112
ns3.kolmykiaonline.ru – 87.120.41.155

anapoli.ru – 50.56.92.47; 190.120.228.92; 203.80.16.81
ns1.anapoli.ru – 85.143.166.186
ns2.anapoli.ru – 203.172.140.202
ns3.anapoli.ru – 87.120.41.155
ns4.anapoli.ru – 173.224.208.60
ns5.anapoli.ru – 132.248.49.112

We’ve already seen the same IPs and command and control servers used in the recently profiled “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit” campaign. Based on this fact, we can conclude that these campaigns are operated by the same cybercriminal/gang of cybercriminals.

The last time we profiled an Intuit themed malicious campaign, was in July 2012.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit“, and the “Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails” [...]

  2. [...] Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails [...]

  3. [...] Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails [...]

  4. [...] Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails [...]