‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit

by


A cybercriminal/group of cybercriminals that’s been responsible for a series of malware attacks that I’ve been recently profiling, continues to systematically rotate the impersonated brands and the actual malicious payload dropped by the market leading Black Hole Exploit Kit. The prospective target of their latest campaign? PayPal users.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://smksapg.edu.my/acschanged.html; hxxp://kylecommunity.com/acschanged.html; hxxp://tonymerritt.com/acschanged.html;  hxxp://gorod-sport.ru/acschanged.html; hxxp://family.joeinfo.org/acschanged.html; hxxp://sabaevo.ru/acschanged.html; hxxp://www.dzivebezzalem.lv/acschanged.html; hxxp://www.eqtv.com.ar/acschanged.html; hxxp://consultancy.jcsinvestment.com/acschanged.html; hxxp://www.ilampokhari.co.uk/acschanged.html; hxxp://sonnen- ernte.de/acschanged.html; hxxp://www.dzivebezzalem.lv/acschanged.html; hxxp://www.modelzwerge.de/acschanged.html; hxxp://wiggleeyes.pedromorales.com/acschanged.html; hxxp://aloeweb.cl/acschanged.html; hxxp://yuriy.at/acschanged.html; hxxp://www.llv.lichlamviec.com/acschanged.html; hxxp://ipadcover.ru/acschanged.html; hxxp://www.robertguyser.com/wp-content/themes/twentyten/ppacchanges.html; hxxp://partnerzy.net/wp-content/plugins/ppacchanges.html; hxxp://www.ufec.info/wp-content/plugins/akismet/ppacchanges.html; hxxp://msinventors.org/wp-content/plugins/akismet/ppacchanges.html; hxxp://www.textranetwork.com/wp-content/plugins/akismet/ppacchanges.html; hxxp://sclics.com/wp-content/plugins/akismet/ppacchanges.html; hxxp://www.passwork.org/wp-content/plugins/akismet/ppacchanges.html

Client-side exploits serving URL: hxxp://puzzledbased.net/detects/suited_awful_infinite_estimate.php; hxxp://packleadingjacket.org/detects/hidden-temperature.php

Malicious domain name reconnaissance: puzzledbased.net – 183.180.134.217, AS2519 – Email: rodger_covach3060@spacewar.com

Name Server: NS1.TOPPAUDIO.COM
Name Server: NS2.TOPPAUDIO.COM

packleadingjacket.org – 62.116.181.25

Name Server: ns1.chelseafun.net
Name Server: ns2.chelseafun.net

Although we couldn’t reproduce puzzledbased.net’s malicious activity, we know for certain that on 2012/11/01 at 15:19, hxxp://netgear-india.net/detects/discover-important_message.php was responding to the same IP. We’ve already seen and profiled the malicious activity of the campaign using this URL in the ‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware analysis.

Moreover, we’ve also seen the same name servers (NS1.TOPPAUDIO.COM; NS2.TOPPAUDIO.COM) used in a series of recently profiled campaigns, once again launched by the same cybercriminal/gang of cybercriminals. The campaigns in question are: “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “Your Discover Card Services Blockaded’ themed emails lead to Black Hole Exploit Kit“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“.

The name servers (ns1.chelseafun.net; ns2.chelseafun.net) used by the most recently used client-side exploits serving domain, have also been seen in the following previously profiled malicious campaigns – “‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“.

The following malicious domains are also part of the campaign’s infrastructure and respond to the same IP (183.180.134.217) as the client-side exploits serving domains:

rovo.pl
itracrions.pl
superdmntre.com
chicwhite.com
radiovaweonearch.com
strili.com
superdmntwo.com
unitmusiceditior.com
newtimedescriptor.com
steamedboasting.info
solla.atvotela.net
stempare.net
tradenext.net
bootingbluray.net

The following malicious domain (stempare.net) was also seen in the recently profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware” campaign, indicating yet another connection between these campaigns.

We’ve also seen steamedboasting.info in the following recently profiled malicious campaigns - “Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“.

PayPal is a commonly impersonated brand by a lot of cybercriminals. In fact, some of them are so efficient in the process of obtaining PayPal accounting data, that they launch online shops targeting fellow cybercriminals who are interested in purchasing the fraudulently obtained data. We’ve also seen the brand impersonated in a series of malicious attacks:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] WEBROOT – INSIGHTS INTO THREATS AND TRENDS FROM OUR INTERNET SECURITY EXPERTS « ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit [...]

  2. [...] Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit“; “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed [...]