September 23, 2013Dancho Danchev By Dancho Danchev

Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware

Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails. Let’s dissect the campaign, expose the portfolio of malicious domains using it, provide MD5s for a sample exploit and the dropped malware, as well as connect the campaign with previously launched already profiled malicious campaigns.

Sample screenshot of the spamvertised email:


Sample redirection chain:
hxxp:// ( -> hxxp:// (;;;; Email:

Known to have responded to the same IP ( are also the following fraudulent/malicious domains:

The following malicious MD5s are also known to have phoned back to the same IP in the past:
MD5: d672db2c3f398f1bb55ed0030467277d
MD5: 5cb9893095f6087fe741853213f244e8

Known to have responded to are also the following malicious domains:

Known to have responded to are also the followig malicious domains:

Known to have responded to are also the following malicious domains:

Name servers part of the campaign’s infrastructure:
Name Server: NS1.NAMASTELEARNING.NET – – Email: – Deja vu! We’ve already seen the same email used in a related Facebook themed malicious campaign.

The following name servers are also providing DNS services to the following malicious domains:

MD5 for a sample served client-side exploit: MD5: 92897ad0aff69dee36dc22140bf3d8a9. Sample MD5 for the dropped malware: MD5: 7b6332de90e25a5b26f7c75910a22e0c.

Once executed, the sample phones back to the following C&C servers:

Webroot SecureAnywhere users are proactively protected from these threats.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *