‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit

by


Newsflash, the cybercriminals behind the recently profiled malicious campaign impersonating Bank of America, launched yet another massive spam campaign, this time targeting ADP customers. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Compromised malicious URLs spamvertised in the campaign: hxxp://shawnsheritagemasonry.com/trnztadp.html; hxxp://diversified.usereasy.net/trnztadp.html; hxxp://widespace.com.cn/trnztadp.html; hxxp://www.theironingbasket.com/trnztadp.html; hxxp://runtheattack.com/trnztadp.html; hxxp://kbc-tervuren.be/trnztadp.html; hxxp://egowy.com/loginadptr.html

Client-side exploits serving URL: hxxp://reasonedblitzing.net/detects/lorrys_implication.php – 195.198.124.60, AS3301 – Email: monteene_forbrich8029@mauritius.com; hxxp://nfcmpaa.info/detects/burying_releases-degree.php – 195.198.124.60, AS3301 – Email: nevein_standrin35@kube93mail.com

Responding to the same IP are also the following malicious domains:
win8ss.com – Email: fermetnolega@hotmail.com
legacywins.com – Email: fermetnolega@hotmail.com
openpolygons.net – Email: cordey_yabe139@flashmail.net
steamedboasting.info – Email: mauro_borozny655@medical.net.au

Name servers part of the campaign’s infrastructure:
Name Server: NS1.TOPPAUDIO.COM
Name Server: NS2.TOPPAUDIO.COM

We’ve already seen the same name servers used in the recently profiled “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware” malicious campaign. Clearly, the cybercriminal or gang of cybercriminals behind the campaign continue rotating the impersonated brands, next to using the same malicious infrastructure to achieve their objectives.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“, indicating a connection between these [...]

  2. [...] Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“, indicating that all of these campaigns are managed by a single cybercriminal/gang of [...]

  3. [...] Moreover, we’ve also seen the same name servers used in a series of recently profiled campaigns, once again launched by the same cybercriminal/gang of cybercriminals. The campaigns in question are: ”‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “Your Discover Card Services Blockaded’ themed emails lead to Black Hole Exploit Kit“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“. [...]

  4. [...] Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“; “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits [...]

  5. [...] the past week, cybercriminals have resumed spamvertising fake “ADP Immediate Notifications” in an attempt to trick users into clicking on the malicious links found in the emails. The [...]