‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware

by

Share this news now.

American Express cardholders, beware!

Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://www.xn--snren-wua.net/amextrfail.html; hxxp://www.stellarkids.net/amextrfail.html; hxxp://abakus-baby.com/amextrfail.html; hxxp://www.balatonok.hu/amextrfail.html; hxxp://www.ardiabetes.org/amextrfail.html; hxxp://xfrz.cn/amextrfail.html; hxxp://kinga-aco.studiopresent.info/amextrfail.html; http://www.intech74.ru/amextrfail.html; http://wanpra.com/amextrfail.html; http://qr-codes.pedromorales.com/amextrfail.htmlhxxp://relationshipcentral.org.my/amextrfail.html; hxxp://svetled.net/amextrfail.html; hxxp://plateenforcer.com/amextrfail.html; hxxp://marko.jumpquick.com/amextrfail.html; hxxp://familyfiles.joeinfo.org/amextrfail.html; hxxp://vawip.sapint.org/amextrfail.html; hxxp://www.xn--snren-wua.net/amextrfail.html; hxxp://uni-formsandservices.com/amextrfail.html; hxxp://www.svma.sd/amextrfail.html; hxxp://www.ardiabetes.org/amextrfail.html

Client-side exploits serving URLs: hxxp://stempare.net/detects/suited_awful_infinite_estimate.php; hxxp://stempare.net/detects/suited_awful_infinite_estimate.php?azfqtl=3833043409&zwe=47&wfamk=05340237360403353407&htks=0a000300040002

Malicious domain name reconnaissance:
stempare.net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228@i-connect.com
Name Server: NS1.TOPPAUDIO.COM – 91.216.93.61, AS50300 – Email: windowclouse@hotmail.com
Name Server: NS2.TOPPAUDIO.COM – 29.217.45.138 – Email: windowclouse@hotmail.com

We’ve already seen these name servers in the recently profiled “‘Your Discover Card Services Blockaded’ themed emails lead to Black Hole Exploit Kit; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“, indicating that all of these campaigns are managed by a single cybercriminal/gang of cybercriminals.

Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 – detected by 2 out of 44 antivirus scanners as Trojan.Win32.Bublik.ptf.

Upon execution, the dropped malware requests a connection to 192.5.5.241:8080 and then establishes a connection with 210.56.23.100:8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata.org. It is currently blacklisted in 25 anti-spam lists.

The following URLs are known to have directly serving malicious content, and act as command and control servers in the past:
210.56.23.100:8080/asp/intro.php
210.56.23.100:8080/za/v_01_a/in

The following malicious URLs are known to have responsed to the same IP:
hxxp://poluicenotgo.ru:8080/internet/at.php?i=15
hxxp://uiwewsecondary.ru:8080/internet/fpkrerflfvd.php
hxxp://webmastaumuren.ru:8080/navigator/jueoaritjuir.php
hxxp://dedovshinaus.su:8080/pages/dq.php?i=15
hxxp://rushsjhdhfjsldif.su:8080/images/aublbzdni.php
hxxp://xstriokeneboleeodgons.ru:8080/images/jw.php?i=3D8
hxxp://debiudlasduisioa.ru/
hxxp://dkjhfkjsjadsjjfj.ru:8080/images/aublbzdni.php
hxxp://ckjsfhlasla.ru:8080/images/kobzfoivdpdzilx.php
hxxp://zolindarkksokns.ru:8080/images/jw.php?i=2
hxxp://caskjfhlkaspsfg.ru/images/dpcobsyscrctbt.jar
hxxp://csoaspfdpojuasfn.ru:8080/images/xqyndrbualfl.swf

The last time we came across this IP (210.56.23.100), was in July 2012′s analysis of yet another malicious campaign, this time impersonating American Airlines.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
'American Express Alert: Your Transaction is Aborted' themed emails serve client-side exploits and malware by

Trackbacks

  1. [...] scary thing about this one is that, “According to Webroot, when this malicious campaign was first spotted and analyzed more than a week ago, the malware in [...]

  2. [...] by the same cybercriminal/gang of cybercriminals. The campaigns in question are: ”‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits …“; “Your Discover Card Services Blockaded’ themed emails lead to Black Hole Exploit [...]

  3. [...] Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and…“; “‘PayPal Account Modified’ themed emails lead to Black Hole Exploit [...]

  4. [...] already seen the same command and control server used in the previously profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and …“; “Spamvertised American Airlines themed emails lead to Black Hole exploit kit” [...]

  5. [...] (AS24940). We’ve already seen the same pseudo-random characters used in the “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and …” [...]

  6. [...] scary thing about this one is that, “According to Webroot, when this malicious campaign was first spotted and analyzed more than a week ago, the malware in [...]

  7. [...] used in command and control communications profiled in several campaigns – “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and …“; “Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to [...]