{"id":7710,"date":"2012-07-31T10:30:57","date_gmt":"2012-07-31T17:30:57","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=7710"},"modified":"2019-01-02T11:11:31","modified_gmt":"2019-01-02T18:11:31","slug":"spamvertised-your-ebay-funds-are-cleared-themed-emails-lead-to-black-hole-exploit-kit","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/07\/31\/spamvertised-your-ebay-funds-are-cleared-themed-emails-lead-to-black-hole-exploit-kit\/","title":{"rendered":"Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit kit"},"content":{"rendered":"\n

Cybercriminals are currently mass mailing millions of emails impersonating eBay and PayPal in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. Upon clicking on any of them, user are exposed to the client-side exploits served by the Black Hole exploit kit.<\/p>\n\n\n\n

More details:<\/p>\n\n\n\n\n\n\n\n

Screenshot of the spamvertised PayPal themed email:<\/strong>\n<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

Upon clicking on the link, users are exposed to the following bogus “Page loading…” page:<\/strong>\n<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

Spamvertised URLs:<\/strong> hxxp:\/\/deafstudiestrust.org.uk\/avail.html<\/em>; hxxp:\/\/tomstexascountycourthouses.com\/wp-content\/uploads\/fgallery\/avail.html<\/em><\/p>\n\n\n\n

Client-side exploits serving URL:<\/strong> hxxp:\/\/toeplunge.org\/main.php?page=298e0c1b89821c16<\/em><\/p>\n\n\n\n

The same client-side exploits serving URL has been used in another recently profiled spamvertised  campaign, this time impersonating AICPA.<\/p>\n\n\n\n

Client-side exploits served:<\/strong> CVE-2010-0188<\/a><\/em>; CVE-2010-1885<\/em><\/a><\/p>\n\n\n\n

Upon successful client-side exploitation, the campaign drops MD5: 96f7c9d231bc5835e4a7c07bc94c5b4a<\/strong><\/a> on the affected hosts, currently detected by 2 out of 41 antivirus scanners as UDS:DangerousObject.Multi.Generic; WS.Reputation.1<\/p>\n\n\n\n

Once executed, the sample will phone back to hxxp:\/\/87.204.199.100:8080\/mx5\/B\/in. <\/strong>We’ve also seen the same C&C used in yet another previously profiled spamvertised campaign<\/strong><\/a>, this time impersonating Craigslist<\/strong><\/a>.<\/p>\n\n\n\n

Based on these observations, we can easily conclude that a single cybercriminal or a gang of cybercriminals is systematically introducing undetected malicious executables and rotating the client-side exploits serving URLs, next to impersonating popular brands in an attempt to socially engineer users into interacting with these malicious emails.<\/p>\n\n\n\n

This is the second PayPal\/eBay themed malicious campaign<\/strong><\/a>\u00a0that we’ve intercepted and profiled in recent months. We predict that due to the obvious high click-through rates thanks to the systematic rotation of the malicious domains and impersonated brands, we’ll see more campaigns abusing their trusted Web reputation<\/a>.<\/p>\n\n\n\n

PayPal has information on their website<\/a> <\/strong>to help users identify legitimate emails.<\/p>\n\n\n\n

Webroot SecureAnywere<\/strong><\/a> users are proactively protected from this threat.<\/p>\n\n\n\n

You can find more about Dancho Danchev at his LinkedIn Profile<\/strong><\/a>. You can also follow him on  Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals are currently mass mailing millions of emails impersonating eBay and PayPal in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. Upon clicking on any of them, user are exposed to the client-side exploits served by the Black Hole exploit kit. More details:<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[11725,11719,10115,9563,6185,6193,11715,10981,10283,11721,4065,23757,11723,11711,11727,23759,11717,11713,23761,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7710"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=7710"}],"version-history":[{"count":3,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7710\/revisions"}],"predecessor-version":[{"id":26523,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7710\/revisions\/26523"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=7710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=7710"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=7710"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=7710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}