‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit

by


Intuit users, beware!

Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on any of them, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://www.transplantexperience.in/inproldet.html; hxxp://www.skullisland.ca/inproldet.html; hxxp://pozycjonowanie.profi-group.pl/inproldet.html; hxxp://www.transplantexperience.in/inproldet.html; hxxp://www.luxense.eu/inproldet.html; hxxp://media.ted.fr/sites/inproldet.html; hxxp://tacmap.jp/sites/inproldet.html; hxxp://spiler.hu/inproldet.html; hxxp://archaeology.tau.ac.il/inproldet.html; hxxp://www.tecfedericotaylor.edu.gt/inproldet.html; hxxp://www.viaherworld.com/inproldet.html

Client-side exploits serving URL: hxxp://savedordercommunicates.info/detects/bank_thinking.php; hxxp://savedordercommunicates.info/detects/bank_thinking.php?
eony=3833043409&ujmp=36&akemejo=03370b370a33070b0207&lwv=0a000300040002

Upon loading, the malicious URL attempts to drop a PDF on the affected host that’s exploiting CVE-2010-0188. Once successful, the client-side exploit then drops additional malware.

Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 – detected by 14 out of 44 antivirus scanners as Trojan.Win32.Bublik.qqf

Client-side exploits serving domain reconnaissance:
savedordercommunicates.info – 75.127.15.39, AS36352 – Email: heike_ruigrok32@naplesnews.net
Name Server: NS1.CHELSEAFUN.NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak.com
Name Server: NS2.CHELSEAFUN.NET – 65.131.100.90, AS209

We’ve already seen the same name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.

Responding to the same IP (75.127.15.39) is also the following malicious domain:
teamscapabilitieswhich.org

This isn’t the first time that we’ve intercepted Intuit themed malicious campaigns. Consider going through previous analyses profiling malicious campaigns impersonating the company:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] have also been seen in the following previously profiled malicious campaigns – “‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits [...]

  2. [...] have resumed spamvertising the Intuit Direct Deposit Service Informer themed malicious emails, which we intercepted and profiled earlier this month. While using an identical email template, the [...]

  3. [...] Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit“; [...]