May 30, 2012Blog Staff By Blog Staff

Spamvertised CareerBuilder themed emails serving client-side exploits and malware

End and corporate users, and especially CareerBuilder users, beware!

Cybercriminals are currently spamvertising millions of emails impersonating the popular jobs portal CareerBuilder in an attempt to trick users into  clicking on client-side exploits serving links.

The current campaign, originally circulating in the wild since 26 Apr, 2012, is a great example of a lack of QA (quality assurance) since they’re spamvertising a binary that’s largely detected by the security community.

More details:

Spamvertised URL: hxxp://

Client-side exploits served: CVE-2010-0188 and CVE-2010-1885

Malicious client-side exploitation chain: hxxp:// ->  hxxp:// ->  hxxp:// sometimes  hxxp:// is also included in the redirection

Upon successful exploitation drops the following MD5: 518648694d3cb7000db916d930adeaaf

Upon execution it phones back to the following URLs/domains: ( –

Thanks to the overall availability of malware crypting on demand services, we believe that it’s only a matter of time before the cybercriminals behind this campaign realize that they’re spamvertising an already detected executable, crypt it and spamvertise it once again this time successfully slipping it through signatures-based antivirus scanning solutions.

Webroot SecureAnywhere customers are proactively protected from this  threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

One Response to Spamvertised CareerBuilder themed emails serving client-side exploits and malware

  1. Pingback: Spamvertised ‘Your order confirmation’ emails serving client-side exploits and malware « Webroot Threat Blog

Leave a Reply

Your email address will not be published. Required fields are marked *