Bogus Better Business Bureau themed notifications serve client-side exploits and malware

by


Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://www.kulturszalon.hu/cmplinfo.html; hxxp://plastonline.expopage.net/cmplinfo.html; hxxp://holmgard.ru/bbbcmpln.html; hxxp://www.resgroup.com/cmplinfo.html; hxxp://fatherandy.com/cmplinfo.html; hxxp://luxense.eu/bbbcmpln.html; hxxp://sauter-vvp.de/cmplinfo.htmlhxxp://lrhmedia.com/bbbcmpln.html; hxxp://stsmc.org/cmplinfo.html; hxxp://kulturszalon.hu/cmplinfo.html; hxxp://fajnybazar.cz/cmplinfo.html; hxxp://caselle-vpn.net/cmplinfo.html; hxxp://intranet.sextaconcepcion.cl/cmplinfo.html; hxxp://www.stsmc.org/cmplinfo.html; hxxp://philipsambisound.info/cmplinfo.html; hxxp://www.resgroup.com/cmplinfo.html; hxxp://www.j-channel.ch/cmplinfo.html; hxxp://eaglemailboxsales.com/cmplinfo.html; hxxp://www.teratec.co.il/cmplinfo.html; hxxp://www.azmp.ru/cmplinfo.html; hxxp://znamenie.com/cmplinfo.html; hxxp://star-crep.it/bbbcmpln.htmlhxxp://mignonnettes.it/bbbcmpln.html

Sample client-side exploits serving URL: hxxp://samplersmagnifyingglass.net/detects/confirming_absence_listing.php – 183.81.133.121, AS38442 – Email: jap_gazo8262@fansonlymail.com

Although I wasn’t able to obtain the actual malicious payload from this campaign, it’s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):

2012-10-16 00:24:08 – hxxp://navisiteseparation.net/detects/processing-details_requested.php
2012-10-12 11:19:37 – hxxp://editdvsyourself.net/detects/beeweek_status-check.php

Responding to the same IP (183.81.133.121) are also the following malicious domains:
stafffire.net
hotsecrete.net - Email: counseling1@yahoo.com
the-mesgate.net - also responds to 208.91.197.54 – Email: admin@newvcorp.com

Name servers used in the campaign:
Name Server: NS1.TOPPAUDIO.COM - 91.216.93.61 – Email: windowclouse@hotmail.com
Name Server: NS2.TOPPAUDIO.COM - 29.217.45.138 – Email: windowclouse@hotmail.com

We’ll continue monitoring the campaigns launched by this group, and post updates as soon as new campaigns are launched.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


0 comments

Trackbacks

  1. [...] We’ve already seen these domains used in previously profiled malicious campaigns: headerandfooterprebuilt.pro – seen in “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware“ fixedmib.net – seen in “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware“ stafffire.net – seen in “Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “Bogus Better Business Bureau themed notifications serve client-side exploits and malware“. [...]