Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware

by

Share this news now.

Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, this time impersonating both eBay and PayPal, in an attempt to trick their users into clicking on the client-side exploits and malware serving links found in the malicious emails.

More details:

Sample screenshot of the spamvertised email:

PayPayl_Ebay_Purchase_Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit

Sample compromised URLs used in the campaign:
hxxp://idrapidleech.com/components/com_ag_google_analytics2/purhcoverview.html
hxxp://apartistanbul.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://setpersianstyle.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://lasienwater.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://spadanastone.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://adpalmaseca.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://ustradework.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://archerscluboffa.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://odiwohng.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://softouchsystem.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://fairwaterconsultants.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://popularesalhama.com/components/com_ag_google_analytics2/purchaseinfo.html
hxxp://adpalmaseca.com/components/com_ag_google_analytics2/purchaseinfo.html

Sample client-side exploits serving domains:
hxxp://litefragmented.pro/detects/telling-purchase-checks.php
hxxp://ibertomoralles.com/detects/slowly_apply.php

Malicious domain names reconnaissance:
litefragmented.pro – 59.64.144.239 – Email: kee_mckibben0869@macfreak.com
Name Server: NS1.CHELSEAFUN.NET
Name Server: NS2.CHELSEAFUN.NET

We’ve already seen and profiled the same email (kee_mckibben0869@macfreak.com) in the following analyses – “Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware“; “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware“.

We’ve also seen the same name servers used in the following previously profiled malicious campaigns:

ibertomoralles.com – 59.57.247.185 – Email: rick.baxter@costcontrolsoftware.com
Name Server: NS1.SOFTVIK.NET – 84.32.116.189 – Email: farbonite@hotmail.com
Name Server: NS2.SOFTVIK.NET – 15.209.33.133 – Email: farbonite@hotmail.com

Responding to 59.57.247.185 are also the following malicious domains:
roketlauncherskiy.org
moid.pl
securityday.pl
icobag.com
proscitomash.com
labpr.com
shopgreatvideonax.com
codemark.net
zindt.net
hfeitu.net
naky.net
svictrorymedia.ru
ygsecured.ru
winterskyserf.ru
romoviebabenki.ru
addon.su
robertokarlosskiy.su

We’ve already seen and profiled the same IP in the following malicious campaigns: “Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit“; “Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware“; “Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit“.

We’ll continue monitoring the activities of this cybercriminal/gang of cybercriminals and post updates as soon as new campaigns are launched.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.