Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and malware

by


Over the past week, cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses.

Once users click on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit.

More details:

Sample screenshot of the spamvertised email:

Second screenshot of the spamvertised email impersonating Amazon.com Inc:

Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:

Sample subjects used in the spamvertised emails: Re: HD TV Waiting on delivery Few hours agoYour HDTV Delivered NowRe: HDTV Processed YesterdayRe: Order Processed TodayYour Order Approved Few hours ago

Sample compromised URLs used in the malicious campaign: hxxp://manxwoman.net/administrator/amazinhdtv.html; hxxp://shuraki.com/wp-admin/hdtvamazon.html; hxxp://hagigim.net/wp-admin/hdtvamazon.html; hxxp://localsearchtrafficnow.com/wp-admin/hdtvamazon.html; hxxp://aclcinema.com/wp-admin/hdtvamazon.html; hxxp://mulberryhandbags.net/images/hdtvamazon.html; hxxp://doomsdaypreppersplan.com/wp-admin/hdtvamazon.html; hxxp://christiaanse-taxateur.nl/wp-admin/hdtvamazon.html; hxxp://institutobiblicosanpablo.org/site/amazinhdtv.html; hxxp://lacastalia.com/scripts/amazinhdtv.html; hxxp://twoshakes.ca/wp-admin/amazinhdtv.html; hxxp://quangcaowebtrengoogle.com/administrator/amazinhdtv.html; hxxp://vedsoft.info/wp-admin/amazinhdtv.html; hxxp://kineticenergix.com/wp-admin/amazinhdtv.html; hxxp://smescement.ru/3dhdtvordr.html; hxxp://j-goods.us/3dhdtvordr.html; hxxp://xn--nietypowe-meble-na-zamwienie-6zc.pl/3dhdtvordr.html

Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830 detected by 20 out of 43 antivirus scanners as JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael

Client-side exploitation URL: hxxp://webgrafismo.net/detects/rates-event_convinced-sent.php; hxxp://webgrafismo.net/detects/rates-event_convinced-sent.php?bve=3406073633&prny=3949&cmarvjgs=qqfngaf&gugrxt=qrs; hxxp://pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php

Once a successful client-side exploitation takes place, the Black Hole Exploit kits drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab that’s exploiting the CVE-2010-0188 vulnerability.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


0 comments

Trackbacks

  1. [...] με δημοσίευση στο Webroot, όταν το θύμα κάνει click στο link που υπάρχει στο mail, [...]

  2. [...] με δημοσίευση στο Webroot, όταν το θύμα κάνει click στο link που υπάρχει στο mail, [...]