Over the past 24 hours, cybercriminals launched two consecutive massive email campaigns, impersonating Intui Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails.
Upon clicking on any of links found in the emails, users are exposed to the client-side exploits served by the latest version of the Black Hole exploit kit.
Sample screenshot of the first spamvertised campaign:
Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:
Screenshots of the second spamvertised campaign:
Sample spamvertised compromised URLs:
Sample client-side exploit serving URLs:
Both of these malicious domains use to respond to 18.104.22.168; 22.214.171.124; 126.96.36.199. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs, for instance, buzziskin.net; addsmozy.net; buycelluleans.com; indice-acores.net. The campaign used to rely on the following name servers: ns1.zikula-support.com; ns2.zikula-support.com
Sample client-side exploits served: CVE-2010-0188
Related analysis of malicious campaigns impersonating Intuit:
- Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
- Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails
- Spamvertised Intuit themed emails lead to Black Hole exploit kit
Detection rate, MD5: 5723f92abf257101be20100e5de1cf6f – detected by 17 out of 43 antivirus scanners as Gen:Variant.Kazy.96378; Worm.Win32.Cridex.js, MD5: 06c6544f554ea892e86b6c2cb6a1700c – detected by 26 out of 43 antivirus scanners as Trojan.Win32.Buzus.mecu; Worm:Win32/Cridex.B
Webroot SecureAnywhere users are proactively protected from these threats.