November 8, 2012Dancho Danchev By Dancho Danchev

‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware

Cybercriminals are currently spamvertising millions of emails impersonating Discover, in an attempt to trick cardholders into clicking on the client-side exploits serving URLs found in the malicious emails. Upon clicking on the links, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://www.alacinc.org.nz/impdiscm.html; hxxp://viajesybuceo.es/impdiscm.html; hxxp://www.akncorporation.com/impdiscm.html; hxxp://www.smoc.tw/impdiscm.html; hxxp://www.mofty.net/impdiscm.html; hxxp://akweb.nl/webcalendar/includes/impdiscm.htmlhxxp://fullhome.net/discinfo.html

Client-side exploits serving URLs: hxxp://netgear-india.net/detects/discover-important_message.php; hxxp://netgear-india.net/detects/discover-important_message.php?qejbu=360a070b03&tfy=35&xio=34023705350a050a0b38&wcxa=02000200020002hxxp://teamscapabilitieswhich.org/detects/discover-important_message.php

Upon loading, these URLs attempt to exploit CVE-2010-0188 by dropping a malicious PDF file on the affected host, which then drops the actual malware upon successful client-side exploitation.

Sample detection rate for the dropped malware: MD5: 80601551f1c83ee326b3094e468c6b42 – detected by 4 out of 44 antivirus scanners as UDS:DangerousObject.Multi.Generic

Upon execution, the sample phones back to 200.169.13.84:8080/AJtw/UCyqrDAA/Ud+asDAA, AS21574

Client-side exploits serving domain reconnaissance:
teamscapabilitieswhich.org responds to 183.180.134.217, AS2519 – Email: anil_valiquette124@dawnsonmail.com
Name Server: NS1.CHELSEAFUN.NET – 173.234.9.89
Name Server: NS2.CHELSEAFUN.NET – 65.131.100.90

netgear-india.net – 183.180.134.217, AS2519
Name Server:  NS1.TOPPAUDIO.COM – 91.216.93.61
Name Server:  NS2.TOPPAUDIO.COM – 173.234.9.89

The same name servers (NS1.TOPPAUDIO.COM; NS2.TOPPAUDIO.COM) were also used in the recently profiled “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“, indicating a connection between these campaigns.

Responding to the same IP (183.180.134.217) are also the following malicious domains part of the campaign’s infrastructure:
rovo.pl
itracrions.pl
radiovaweonearch.com
unitmusiceditior.com
newtimedescriptor.com
steamedboasting.info
solla.at
votela.net
puzzledbased.net
stempare.net
questionscharges.net
bootingbluray.net

We’ve also seen (steamedboasting.info) used in the recently profiled “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit” campaign, indicating that these campaigns are operated by the same cybercriminal/gang of cybercriminals.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

11 Responses to ‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware

  1. Pingback: ‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  2. Pingback: ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  3. Pingback: Bogus Better Business Bureau themed notifications serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  4. Pingback: Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  5. Pingback: Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  6. Pingback: Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  7. Pingback: Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  8. Pingback: ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  9. Pingback: Fake “You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  10. Pingback: Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  11. Pingback: ‘ADP Package Delivery Notification’ themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Leave a Reply

Your email address will not be published. Required fields are marked *