September 4, 2012Dancho Danchev By Dancho Danchev

Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit

Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.

More details:

Sample screenshot of the spamvertised email:

Sample client-side exploits serving URL: hxxp://

Sample exploits served: CVE-2010-0188; CVE-2010-1885

Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Worm:Win32/Cridex.E; Trojan.Win32.Buzus.lxwt –;;

Name servers part of the campaign’s infrastructure: – – – – –

Responding to these IPs are also the following malicious command and control servers:

We’ve already seen these domains and IPs used in previously profiled campaigns such as the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit“, and the “Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails” campaign.

This isn’t the first time we’ve profiled malicious campaigns impersonating the United Parcel Service. Consider going through related posts profiling the dynamics of related campaigns:

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button