Over the past 24 hours, cybercriminals have spamvertised millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.

Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit.

More details:

Sample screenshot of the spamvertised email:

Spamvertised malicious iFrame domains: hxxp://kolmykiaonline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c; hxxp://anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c

Client-side exploits served: CVE-2010-1885; CVE-2010-0188

Upon successful client-side exploitation the campaign drops MD5: aea6d9be93a6f64357b96db96e9c7e10 – detected by 20 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.bpqu; Worm:Win32/Cridex.E, and MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Trojan.Win32.Buzus.lxwt; Worm:Win32/Cridex.E

Name servers part of the campaign’s infrastructure:
kolmykiaonline.ru –;
ns1.kolmykiaonline.ru –
ns2.kolmykiaonline.ru –
ns3.kolmykiaonline.ru –

anapoli.ru –;;
ns1.anapoli.ru –
ns2.anapoli.ru –
ns3.anapoli.ru –
ns4.anapoli.ru –
ns5.anapoli.ru –

We’ve already seen the same IPs and command and control servers used in the recently profiled “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit” campaign. Based on this fact, we can conclude that these campaigns are operated by the same cybercriminal/gang of cybercriminals.

The last time we profiled an Intuit themed malicious campaign, was in July 2012.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This