Sticking to their well proven social engineering tactics consisting of systematic rotation of the abused brands, cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick end and corporate users into interacting with the malicious campaign.

Once the interaction takes place, users are exposed to the client-side exploits served by the Black Hole exploit kit, currently the market share leader within the cybercrime ecosystem.

More details:

Screenshot of the spamvertised email:

Upon clicking on the link, users are exposed to bogus “Page loading…” page:

Spamvertised URLs: hxxp://

Client-side exploit serving URL: hxxp://

Client-side exploits served: CVE-2010-0188CVE-2010-1885

Detection rate for a sample redirection script: MD5: 2276947d2f3a7abc88e89089e65dce23

Upon successful client-side exploitation, the campaign drops MD5: 05e0958ef184a27377044655d7b23cb0 on the affected hosts, detected by 28 out of 41 antivirus scanners as Trojan.Generic.KDV.679870; Trojan-Dropper.Win32.Dapato.bnej.

Upon execution the sample phones back to a well known command and control server – which we’ve already seen in several previously profiled malware-serving campaigns.

As we’ve already predicted, the cybercriminal or gang of cybercriminals behind these persistent and massive spam campaigns will simply continue rotating the impersonated brands in an attempt to target millions of users across multiple Web properties.

PayPal has information on their website to help users identify legitimate emails.

Webroot SecureAnywere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This