October 16, 2012 By Dancho Danchev

Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and malware

Over the past week, cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses.

Once users click on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit.

More details:

Sample screenshot of the spamvertised email:

Second screenshot of the spamvertised email impersonating Amazon.com Inc:

Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:

Sample subjects used in the spamvertised emails: Re: HD TV Waiting on delivery Few hours agoYour HDTV Delivered NowRe: HDTV Processed YesterdayRe: Order Processed TodayYour Order Approved Few hours ago

Sample compromised URLs used in the malicious campaign: hxxp://manxwoman.net/administrator/amazinhdtv.html; hxxp://shuraki.com/wp-admin/hdtvamazon.html; hxxp://hagigim.net/wp-admin/hdtvamazon.html; hxxp://localsearchtrafficnow.com/wp-admin/hdtvamazon.html; hxxp://aclcinema.com/wp-admin/hdtvamazon.html; hxxp://mulberryhandbags.net/images/hdtvamazon.html; hxxp://doomsdaypreppersplan.com/wp-admin/hdtvamazon.html; hxxp://christiaanse-taxateur.nl/wp-admin/hdtvamazon.html; hxxp://institutobiblicosanpablo.org/site/amazinhdtv.html; hxxp://lacastalia.com/scripts/amazinhdtv.html; hxxp://twoshakes.ca/wp-admin/amazinhdtv.html; hxxp://quangcaowebtrengoogle.com/administrator/amazinhdtv.html; hxxp://vedsoft.info/wp-admin/amazinhdtv.html; hxxp://kineticenergix.com/wp-admin/amazinhdtv.html; hxxp://smescement.ru/3dhdtvordr.html; hxxp://j-goods.us/3dhdtvordr.html; hxxp://xn--nietypowe-meble-na-zamwienie-6zc.pl/3dhdtvordr.html

Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830 detected by 20 out of 43 antivirus scanners as JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael

Client-side exploitation URL: hxxp://webgrafismo.net/detects/rates-event_convinced-sent.php; hxxp://webgrafismo.net/detects/rates-event_convinced-sent.php?bve=3406073633&prny=3949&cmarvjgs=qqfngaf&gugrxt=qrs; hxxp://pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php

Once a successful client-side exploitation takes place, the Black Hole Exploit kits drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab that’s exploiting the CVE-2010-0188 vulnerability.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
0 comments

Trackbacks

  1. […] με δημοσίευση στο Webroot, όταν το θύμα κάνει click στο link που υπάρχει στο mail, […]

  2. […] με δημοσίευση στο Webroot, όταν το θύμα κάνει click στο link που υπάρχει στο mail, […]

true