Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware

by


A currently ongoing spam campaign attempts to trick users into thinking that their ability to send Domestic Wire Transfers has been disabled. Impersonating the Federal Deposit Insurance Corporation (FDIC), the cybercriminals behind the campaign are potentially earning thousands of dollars in the process of monetizing the anticipated traffic.

Once users click on the bogus ‘secure download link’, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample of compromised URLs used in the campaign: hxxp://greetingsjackass.com/securefdicinform.html; hxxp://www.galaxiafilm.it/securefdicinform.html; hxxp://www.esv-hochkogel.at/securefdicinform.html

Client-side exploits serving URL: hxxp://stifferreminders.pro/detects/fdic-information_gather.php

Malicious payload serving URL: hxxp://stifferreminders.pro/detects/fdic-information_gather.php?fooxj=31:2v:30:1i:1o&otlzvl=2w&hmhzxma=1f:30:1k:1k:1h:1l:2w:2v:2w:1m&sgiq=1n:1d:1f:1d:1f:1d:1j:1k:1l

Client-side exploits served: CVE-2010-0188

Malicious domain name reconnaissance:
stifferreminders.pro – 198.27.94.80 (AS16276) – Email: kee_mckibben0869@macfreak.com
Name Server:NS1.CHELSEAFUN.NET
Name Server:NS2.CHELSEAFUN.NET

These are well known name servers currently in use by the same cybercriminals that launched the following malicious campaigns – “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit“; “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware“.

The following malicious domains also respond to the same IP:
headerandfooterprebuilt.pro
fixedmib.net
stafffire.net

We’ve already seen these domains used in previously profiled malicious campaigns:
headerandfooterprebuilt.pro – seen in “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
fixedmib.net – seen in “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
stafffire.net – seen in “Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “Bogus Better Business Bureau themed notifications serve client-side exploits and malware“.

Upon successful client-side exploitation, the campaign drops MD5: 61bc6ad497c97c44b30dd4e5b3b02132 – detected by 2 out of 42 antivirus scanners as UDS:DangerousObject.Multi.Generic.

Once executed, the sample phones back to hxxp://182.237.17.180:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/

We’ll continue monitoring the malicious activities of this group/individual, and post updates as soon as new activity takes place.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] profiled the same email (kee_mckibben0869@macfreak.com) in the following analyses – “Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve…“; “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed [...]