Think you’ve received an online greeting card from Think twice!

Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit.

What’s so special about this campaign? Can we connect it to previously spamvertised campaigns profiled at Webroot’s Threat Blog? Let’s find out.

More details:

Screenshot of the spamvertised email:

Upon clicking on any of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:

Obfuscated java script redirection:

Spamvertised malicious URLs: hxxp://; hxxp://; hxxp://; hxxp://; hxxp://; hxxp://

Client-side exploits serving URLs: hxxp:// –; hxxp://; hxxp://

Client-side exploits served: CVE-2010-1885

Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 – detected by 25 out of 42 antivirus scanners as Trojan.Win32.Yakes.ansm; Mal/Katusha-I.

Upon successful execution, the sample phones back to

More MD5s are known to have phoned back to the same command and control server, such as for instance:

MD5: b11421acddbfc94544482d1846ba6d97
MD5: 4e0053fe00b65627c07dc8c85c85a351
MD5: 90d1b3367e97f384af029b0f1674f7ff
MD5: d2be252de958b7435279c6e8f270de4e is actually a name server offering DNS resolving services to related malicious and command and control servers part of the campaign such as:

Associated malicious name servers part of the campaign’s infrastructure: – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – => => => => => – – – – – – – – – – – – – – – – –

Related client-side exploits and malware serving URLs spamvertised in the same campaign, also drop MD5: cd0aac6df71fa28d4564406a24f7e1a2 – detected by 28 out of 42 antivirus scanners as Gen:Variant.Zusy.15382; P2P-Worm.Win32.Palevo.fbvx

The second sample phones back to not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns, such as, for instance, the AT&T Billing Center impersonation one, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This