November 12, 2012Dancho Danchev By Dancho Danchev

‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware

American Express cardholders, beware!

Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://www.xn--snren-wua.net/amextrfail.html; hxxp://www.stellarkids.net/amextrfail.html; hxxp://abakus-baby.com/amextrfail.html; hxxp://www.balatonok.hu/amextrfail.html; hxxp://www.ardiabetes.org/amextrfail.html; hxxp://xfrz.cn/amextrfail.html; hxxp://kinga-aco.studiopresent.info/amextrfail.html; http://www.intech74.ru/amextrfail.html; http://wanpra.com/amextrfail.html; http://qr-codes.pedromorales.com/amextrfail.htmlhxxp://relationshipcentral.org.my/amextrfail.html; hxxp://svetled.net/amextrfail.html; hxxp://plateenforcer.com/amextrfail.html; hxxp://marko.jumpquick.com/amextrfail.html; hxxp://familyfiles.joeinfo.org/amextrfail.html; hxxp://vawip.sapint.org/amextrfail.html; hxxp://www.xn--snren-wua.net/amextrfail.html; hxxp://uni-formsandservices.com/amextrfail.html; hxxp://www.svma.sd/amextrfail.html; hxxp://www.ardiabetes.org/amextrfail.html

Client-side exploits serving URLs: hxxp://stempare.net/detects/suited_awful_infinite_estimate.php; hxxp://stempare.net/detects/suited_awful_infinite_estimate.php?azfqtl=3833043409&zwe=47&wfamk=05340237360403353407&htks=0a000300040002

Malicious domain name reconnaissance:
stempare.net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228@i-connect.com
Name Server: NS1.TOPPAUDIO.COM – 91.216.93.61, AS50300 – Email: windowclouse@hotmail.com
Name Server: NS2.TOPPAUDIO.COM – 29.217.45.138 – Email: windowclouse@hotmail.com

We’ve already seen these name servers in the recently profiled “‘Your Discover Card Services Blockaded’ themed emails lead to Black Hole Exploit Kit; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“, indicating that all of these campaigns are managed by a single cybercriminal/gang of cybercriminals.

Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 – detected by 2 out of 44 antivirus scanners as Trojan.Win32.Bublik.ptf.

Upon execution, the dropped malware requests a connection to 192.5.5.241:8080 and then establishes a connection with 210.56.23.100:8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata.org. It is currently blacklisted in 25 anti-spam lists.

The following URLs are known to have directly serving malicious content, and act as command and control servers in the past:
210.56.23.100:8080/asp/intro.php
210.56.23.100:8080/za/v_01_a/in

The following malicious URLs are known to have responsed to the same IP:
hxxp://poluicenotgo.ru:8080/internet/at.php?i=15
hxxp://uiwewsecondary.ru:8080/internet/fpkrerflfvd.php
hxxp://webmastaumuren.ru:8080/navigator/jueoaritjuir.php
hxxp://dedovshinaus.su:8080/pages/dq.php?i=15
hxxp://rushsjhdhfjsldif.su:8080/images/aublbzdni.php
hxxp://xstriokeneboleeodgons.ru:8080/images/jw.php?i=3D8
hxxp://debiudlasduisioa.ru/
hxxp://dkjhfkjsjadsjjfj.ru:8080/images/aublbzdni.php
hxxp://ckjsfhlasla.ru:8080/images/kobzfoivdpdzilx.php
hxxp://zolindarkksokns.ru:8080/images/jw.php?i=2
hxxp://caskjfhlkaspsfg.ru/images/dpcobsyscrctbt.jar
hxxp://csoaspfdpojuasfn.ru:8080/images/xqyndrbualfl.swf

The last time we came across this IP (210.56.23.100), was in July 2012’s analysis of yet another malicious campaign, this time impersonating American Airlines.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

9 Responses to ‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware

  1. Pingback: Phishing Scam:Fake AmEx Alert | Paul's Internet Security Blog

  2. Pingback: ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  3. Pingback: Bogus Better Business Bureau themed notifications serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  4. Pingback: Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  5. Pingback: Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  6. Pingback: Phishing Scam:Fake AmEx Alert | Paul's Internet Security Blog | Email Scam

  7. Pingback: Bogus ‘Meeting Reminder” themed emails serve malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  8. Pingback: Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  9. Pingback: ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Leave a Reply

Your email address will not be published. Required fields are marked *

true