{"id":6757,"date":"2012-04-03T12:07:00","date_gmt":"2012-04-03T19:07:00","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=6757"},"modified":"2018-01-30T13:03:18","modified_gmt":"2018-01-30T20:03:18","slug":"spamvertised-us-airways-themed-emails-serving-client-side-exploits-and-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/04\/03\/spamvertised-us-airways-themed-emails-serving-client-side-exploits-and-malware\/","title":{"rendered":"Spamvertised &#8216;US Airways&#8217; themed emails serving client-side exploits and malware"},"content":{"rendered":"<p>Cybercriminals are currently spamvertising yet another social-engineering driven malicious email campaign, this time impersonating <strong><a href=\"http:\/\/www.usairways.com\">U.S Airways<\/a><\/strong>.<\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2012\/04\/us_airways_client_side_exploits_malware.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter  wp-image-6758\" title=\"US_Airways_client_side_exploits_malware\" src=\"http:\/\/webrootblog.files.wordpress.com\/2012\/04\/us_airways_client_side_exploits_malware.png\" alt=\"\" width=\"416\" height=\"287\" \/><\/a><\/p>\n<p>Upon clicking on the malicious links found in the emails, end and corporate users are exposed to client-side exploits courtesy of the BlackHole web malware exploitation kit.<\/p>\n<p>More details:<\/p>\n<p><!--more--><\/p>\n<p><strong>Spamvertised subjects:\u00a0<\/strong><em>US Airways online check-in,\u00a0US Airways reservation confirmation,\u00a0Confirm your US airways online reservation,\u00a0US Airways online check-in confirmation<\/em><\/p>\n<p><strong>Message:\u00a0<\/strong><em>You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you&#8217;re flying internationally). After that, all you have to do is print your boarding pass and go to the gate.\u00a0Confirmation code: 250462 Check-in online: Online reservation details<\/em><\/p>\n<p><strong>Spamvertised malicious URL:\u00a0<\/strong><em>hxxp:\/\/goldapnews.pl\/zh6jPwn1\/index.html<\/em><\/p>\n<p>Once the users click on the malicious links found in the email, an obfuscated javascript code will attempt to load from multiple compromised web servers in an attempt to redirect the users to the client-side exploits serving URL courtesy of the BlackHole web malware exploitation kit.<\/p>\n<p><a href=\"http:\/\/webrootblog.files.wordpress.com\/2012\/04\/us_airways_client_side_exploits_malware_01.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-6760\" title=\"US_Airways_client_side_exploits_malware_01\" src=\"http:\/\/webrootblog.files.wordpress.com\/2012\/04\/us_airways_client_side_exploits_malware_01.png\" alt=\"\" width=\"434\" height=\"119\" \/><\/a><\/p>\n<p>Go through related posts:<\/p>\n<ul>\n<li><a href=\"http:\/\/blog.webroot.com\/2012\/02\/08\/researchers-intercept-two-client-side-exploits-serving-malware-campaigns\/\">Researchers intercept two client-side exploits serving malware campaigns<\/a><\/li>\n<li><a href=\"http:\/\/blog.webroot.com\/2012\/01\/25\/researchers-intercept-a-client-side-exploits-serving-malware-campaign\/\">Researchers intercept a client-side exploits serving malware campaign<\/a><\/li>\n<\/ul>\n<p>Compromised URLs, part of the campaign (the affected web sites are currently in a process of cleaning up their compromised domains, and therefore they are currently serving a HTTP\/1.1 404 Not Found error message:<\/p>\n<p><strong>hxxp:\/\/alasinmedia.pp.fi\/8qeXM1Kx\/js.js<\/strong><br \/>\n<strong>hxxp:\/\/boxpluss.com\/00o6FfJc\/js.js<\/strong><br \/>\n<strong>hxxp:\/\/raja-sms.com\/roLcnvNu\/js.js<\/strong><\/p>\n<p>The campaign is attempting to exploit end and corporate users using the following vulnerabilities &#8211;\u00a0<em>Libtiff integer overflow in Adobe Reader and Acrobat<\/em> (also known as\u00a0<a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2010-0188\">CVE-2010-0188<\/a>) and\u00a0<em>Help Center URL Validation Vulnerability<\/em> (also known as\u00a0<a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2010-1885\">CVE-2010-1885<\/a>).<\/p>\n<p>Client-side exploitation directory structure for the campaign:<\/p>\n<p><strong>hxxp:\/\/goldapnews.pl\/zh6jPwn1\/index.html &#8211;\u00a0<\/strong>compromised legitimate web site<br \/>\n<strong>hxxp:\/\/66.151.244.191\/showthread.php?t=73a07bcb51f4be71\u00a0<\/strong>&#8211; compromised game server<br \/>\n<strong>hxxp:\/\/66.151.244.191\/data\/ap2.php?f=4203d &#8211;\u00a0<\/strong>compromised game server<\/p>\n<p><strong>IP Information for 66.151.244.191:<\/strong><\/p>\n<blockquote><p>Resolves to v-66-151-244-191.unman-vds.internap-dallas.nfoservers.com<br \/>\nHosted in the: United States<br \/>\nAS: AS12179, INTERNAP-2BLK Internap Network Services<\/p><\/blockquote>\n<p>According to independent sources,\u00a0<strong><a href=\"http:\/\/battletracker.com\/bf3server\/66.151.244.191:25200\/\">66.151.244.191<\/a>\u00a0<\/strong>was previously used as <strong><a href=\"http:\/\/battletracker.com\/serverblog\/66.151.244.191:25200\/?game=bf3\">a game server<\/a><\/strong>, indicating a possible compromise by the cybercriminals behind this ongoing campaign.<\/p>\n<p>The campaign ultimately drops the following malicious executable &#8211; <strong>MD5: 340f5884390ddcc42837078d63b6f293<\/strong><\/p>\n<p>Based on the campaign&#8217;s structure, it&#8217;s launched by the same gang of cybercriminals that recently launched the following campaigns &#8220;<strong><a href=\"http:\/\/blog.webroot.com\/2012\/03\/29\/spamvertised-verizon-themed-your-bill-is-now-available-emails-lead-to-zeus-crimeware\/\">Spamvertised Verizon-themed \u2018Your Bill Is Now Available\u2019 emails lead to ZeuS crimeware<\/a><\/strong>&#8221; ; &#8220;<strong><a href=\"http:\/\/blog.webroot.com\/2012\/03\/23\/spamvertised-linkedin-notifications-serving-client-side-exploits-and-malware\/\">Spamvertised LinkedIn notifications serving client-side exploits and malware<\/a><\/strong>&#8220;.<\/p>\n<p>Webroot expects the gang will continue to diversifying the market segment of the brand-jacked companies, and to continue relying on the fact, that <strong><a href=\"http:\/\/www.zdnet.com\/blog\/security\/seven-myths-about-zero-day-vulnerabilities-debunked\/7026\">end and corporate users continue using the Web<\/a><\/strong>, while relying on\u00a0<strong><a href=\"http:\/\/secunia.com\/vulnerability_scanning\/personal\/\">outdated versions of their third-party software<\/a><\/strong>, and <strong><a href=\"http:\/\/www.mozilla.org\/en-US\/plugincheck\/\">browser plugins<\/a><\/strong>.<\/p>\n<p><em>You can find more about Dancho Danchev at his\u00a0<strong><a href=\"http:\/\/nl.linkedin.com\/in\/danchodanchev\">LinkedIn Profile<\/a><\/strong>. You can also\u00a0<strong><a href=\"http:\/\/www.twitter.com\/danchodanchev\">follow him on \u00a0Twitter<\/a><\/strong>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals are currently spamvertising yet another social-engineering driven malicious email campaign, this time impersonating U.S Airways. Upon clicking on the malicious links found in the emails, end and corporate users are exposed to client-side exploits courtesy of the BlackHole web malware exploitation kit. More details:<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[10631,9557,9549,9547,9563,10103,6193,9685,10633,10635,10627,10337,10331,9695,10629,9561,10297,10625,9559,9551],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6757"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=6757"}],"version-history":[{"count":1,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6757\/revisions"}],"predecessor-version":[{"id":23881,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6757\/revisions\/23881"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=6757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=6757"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=6757"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=6757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}