American Express cardholders, beware!

Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://www.xn--snren-wua.net/amextrfail.html; hxxp://www.stellarkids.net/amextrfail.html; hxxp://abakus-baby.com/amextrfail.html; hxxp://www.balatonok.hu/amextrfail.html; hxxp://www.ardiabetes.org/amextrfail.html; hxxp://xfrz.cn/amextrfail.html; hxxp://kinga-aco.studiopresent.info/amextrfail.html; http://www.intech74.ru/amextrfail.html; http://wanpra.com/amextrfail.html; http://qr-codes.pedromorales.com/amextrfail.htmlhxxp://relationshipcentral.org.my/amextrfail.html; hxxp://svetled.net/amextrfail.html; hxxp://plateenforcer.com/amextrfail.html; hxxp://marko.jumpquick.com/amextrfail.html; hxxp://familyfiles.joeinfo.org/amextrfail.html; hxxp://vawip.sapint.org/amextrfail.html; hxxp://www.xn--snren-wua.net/amextrfail.html; hxxp://uni-formsandservices.com/amextrfail.html; hxxp://www.svma.sd/amextrfail.html; hxxp://www.ardiabetes.org/amextrfail.html

Client-side exploits serving URLs: hxxp://stempare.net/detects/suited_awful_infinite_estimate.php; hxxp://stempare.net/detects/suited_awful_infinite_estimate.php?azfqtl=3833043409&zwe=47&wfamk=05340237360403353407&htks=0a000300040002

Malicious domain name reconnaissance:
stempare.net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228@i-connect.com
Name Server: NS1.TOPPAUDIO.COM – 91.216.93.61, AS50300 – Email: windowclouse@hotmail.com
Name Server: NS2.TOPPAUDIO.COM – 29.217.45.138 – Email: windowclouse@hotmail.com

We’ve already seen these name servers in the recently profiled “‘Your Discover Card Services Blockaded’ themed emails lead to Black Hole Exploit Kit; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“, indicating that all of these campaigns are managed by a single cybercriminal/gang of cybercriminals.

Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 – detected by 2 out of 44 antivirus scanners as Trojan.Win32.Bublik.ptf.

Upon execution, the dropped malware requests a connection to 192.5.5.241:8080 and then establishes a connection with 210.56.23.100:8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata.org. It is currently blacklisted in 25 anti-spam lists.

The following URLs are known to have directly serving malicious content, and act as command and control servers in the past:
210.56.23.100:8080/asp/intro.php
210.56.23.100:8080/za/v_01_a/in

The following malicious URLs are known to have responsed to the same IP:
hxxp://poluicenotgo.ru:8080/internet/at.php?i=15
hxxp://uiwewsecondary.ru:8080/internet/fpkrerflfvd.php
hxxp://webmastaumuren.ru:8080/navigator/jueoaritjuir.php
hxxp://dedovshinaus.su:8080/pages/dq.php?i=15
hxxp://rushsjhdhfjsldif.su:8080/images/aublbzdni.php
hxxp://xstriokeneboleeodgons.ru:8080/images/jw.php?i=3D8
hxxp://debiudlasduisioa.ru/
hxxp://dkjhfkjsjadsjjfj.ru:8080/images/aublbzdni.php
hxxp://ckjsfhlasla.ru:8080/images/kobzfoivdpdzilx.php
hxxp://zolindarkksokns.ru:8080/images/jw.php?i=2
hxxp://caskjfhlkaspsfg.ru/images/dpcobsyscrctbt.jar
hxxp://csoaspfdpojuasfn.ru:8080/images/xqyndrbualfl.swf

The last time we came across this IP (210.56.23.100), was in July 2012’s analysis of yet another malicious campaign, this time impersonating American Airlines.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This