September 18, 2012Dancho Danchev By Dancho Danchev

Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware

Cybercriminals are currently spamvertising millions of emails impersonating U.S Airways, in an attempt to trick users into clicking on the malicious links found in the legitimately looking emails. Let’s dissect the malicious campaign, and expose its dynamics.

More details:

Sample screenshot of the spamvertised US Airways themed email:

Spamvertised compromised URL: hxxp://

Sample client-side exploits serving URL: hxxp:// – (AS24559); Email:

Sample client-side exploits served: CVE-2010-1885

Responding to the same IP (AS24559), are also the following malicious domains:

Detection rate for a sample Java script redirection: MD5: 5c5a3c6e91c1c948c735e90009886e37 – detected by 3 out of 42 antivirus scanners as Mal/Iframe-W

Upon successful client-side exploitation, the campaign drops MD5: 9069210d0758b34d8ef8679f712b48aa on the infected hosts, detected by 6 out of 42 antivirus scanners as Trojan.Winlock.6049; W32/Cridex.R

Upon execution, the sample phones back to (AS40676).

More MD5’s are known to have phoned back to the same IP, for instance:
MD5: 34cb2d621d61df32ae3ccf1e69007b8e
MD5: f621be555dc94a8a370940c92317d575
MD5: fd985d376b66af6e27a62ef91d7b0ce8

These MD5s also phone back to related command control servers part of the malicious campaign, such as:

The last time we intercepted the same HTML template being used in the wild, was in April 2012. Back then, we found an identical campaign structure between the US Airways themed campaign and the “Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware” ; “Spamvertised LinkedIn notifications serving client-side exploits and malware“ campaigns, leading us to the conclusion that it’s the same cybercriminal/gang of cybercriminals launching these attacks.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button