{"id":8852,"date":"2012-11-30T00:00:13","date_gmt":"2012-11-30T07:00:13","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=8852"},"modified":"2018-10-05T11:56:39","modified_gmt":"2018-10-05T17:56:39","slug":"bogus-intuit-software-order-confirmations-lead-to-black-hole-exploit-kit","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/11\/30\/bogus-intuit-software-order-confirmations-lead-to-black-hole-exploit-kit\/","title":{"rendered":"Bogus ‘Intuit Software Order Confirmations’ lead to Black Hole Exploit Kit"},"content":{"rendered":"

Sticking to their well proven practice of systematically rotating impersonated brands, the cybercriminals behind a huge majority of the malicious campaigns that we’ve been profiling recently are once again impersonating Intuit<\/strong><\/a> in an attempt to trick its customers into clicking on links exposing them to the client-side exploits served by the Black Hole Exploit Kit<\/strong><\/a>.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot from the spamvertised email:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Sample spamvertised URL redirector:<\/strong> hxxp:\/\/www.mysnap.com.tw\/sites\/default\/files\/upload.htm?RANDOM_CHARACTERS<\/em><\/p>\n

Client-side exploits serving URL:<\/strong> hxxp:\/\/moneymakergrow.ru:8080\/forum\/links\/column.php<\/em><\/p>\n

Malicious domain name reconnaissance:<\/strong>
\nmoneymakergrow.ru<\/strong> – 202.180.221.186, AS24496; 203.80.16.81, AS24514; 207.126.57.208
\nName server: ns1.moneymakergrow.ru<\/strong> – 62.76.178.233
\nName server: ns2.moneymakergrow.ru<\/strong> – 132.248.49.112
\nName server: ns3.moneymakergrow.ru<\/strong> – 84.22.100.108
\nName server: ns4.moneymakergrow.ru<\/strong> – 65.99.223.24<\/p>\n

The following malicious domains also respond to the same IPs:
\nlimonadiksec.ru<\/strong>
\ngeforceexlusive.ru<\/strong>
\nsonatanamore.ru<\/strong>
\nlinkrdin.ru<\/strong>
\nlemonadiom.ru<\/strong>
\npeneloipin.ru<\/strong>
\nforumibiza.ru<\/strong>
\ndonkihotik.ru<\/strong>
\nfinitolaco.ru<\/strong>
\ncontrolleramo.ru<\/strong>
\nfionadix.ru<\/strong><\/p>\n

Although we couldn’t reproduce the client-side exploitation, we’ve already seen the majority of these malicious domains in previously profiled campaigns:<\/p>\n

moneymakergrow.ru<\/strong> – seen in – “\u2018Copies of Missing EPLI Policies\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>”
\nlimonadiksec.ru<\/strong> – seen in – “\u2018Regarding your Friendster password\u2019 themed emails lead to Black Hole exploit kit<\/strong><\/a>“; “\u2018Fwd: Scan from a Xerox W. Pro\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>”
\ngeforceexlusive.ru<\/strong> – seen in – “\u2018Fwd: Scan from a Xerox W. Pro\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>“; “\u2018Copies of Missing EPLI Policies\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>”
\nsonatanamore.ru<\/strong> – seen in – “\u2018Regarding your Friendster password\u2019 themed emails lead to Black Hole exploit kit<\/strong><\/a>“; “\u2018Fwd: Scan from a Xerox W. Pro\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>”
\nlinkrdin.ru<\/strong> – seen in – “\u2018Fwd: Scan from a Xerox W. Pro\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>“; “\u2018Copies of Missing EPLI Policies\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>“; “Cybercriminals spamvertise bogus \u2018Microsoft License Orders\u2019 serve client-side exploits and malware<\/strong><\/a>”
\nlemonadiom.ru<\/strong> – seen in – “\u2018Fwd: Scan from a Xerox W. Pro\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>“; “\u2018Copies of Missing EPLI Policies\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>”
\npeneloipin.ru<\/strong> – seen in – “\u2018Copies of Missing EPLI Policies\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>”
\nforumibiza.ru<\/strong> – seen in – “\u2018Copies of Missing EPLI Policies\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>”
\nfinitolaco.ru<\/strong> – seen in – “\u2018Fwd: Scan from a Xerox W. Pro\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>”
\ncontrolleramo.ru<\/strong> – seen in – “\u2018Copies of Missing EPLI Policies\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>“; “Multiple \u2018Inter-company\u2019 invoice themed campaigns serve malware and client-side exploits<\/strong>”
\nfionadix.ru<\/strong> – seen in – “\u2018Copies of Missing EPLI Policies\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>”<\/p>\n

Name servers part of the campaign’s infrastructure:<\/strong>
\nns1.limonadiksec.ru<\/strong> – 62.76.46.195
\nns2.limonadiksec.ru<\/strong> – 87.120.41.155
\nns3.limonadiksec.ru<\/strong> – 132.248.49.112
\nns4.limonadiksec.ru<\/strong> – 91.194.122.8
\nns5.limonadiksec.ru<\/strong> – 62.76.188.246
\nns1.geforceexlusive.ru<\/strong> – 62.76.47.51
\nns2.geforceexlusive.ru<\/strong> – 132.248.49.112
\nns3.geforceexlusive.ru<\/strong> – 84.22.100.108
\nns4.geforceexlusive.ru<\/strong> – 79.98.27.9
\nns1.sonatanamore.ru<\/strong> – 62.76.47.51
\nns2.sonatanamore.ru<\/strong> – 132.248.49.112
\nns3.sonatanamore.ru<\/strong> – 84.22.100.108
\nns1.linkrdin.ru<\/strong> – 85.143.166.170
\nns2.linkrdin.ru<\/strong> – 132.248.49.112
\nns3.linkrdin.ru<\/strong> – 84.22.100.108
\nns4.linkrdin.ru<\/strong> – 79.98.27.9
\nns1.lemonadiom.ru<\/strong> – 85.143.166.170
\nns2.lemonadiom.ru<\/strong> – 132.248.49.112
\nns3.lemonadiom.ru<\/strong> – 84.22.100.108
\nns4.lemonadiom.ru<\/strong> – 213.251.171.30
\nns1.peneloipin.ru<\/strong> – 62.76.186.190
\nns2.peneloipin.ru<\/strong> – 132.248.49.112
\nns3.peneloipin.ru<\/strong> – 84.22.100.108
\nns4.peneloipin.ru<\/strong> – 65.99.223.24
\nns1.forumibiza.ru<\/strong> – 62.76.186.190
\nns2.forumibiza.ru<\/strong> – 84.22.100.108
\nns3.forumibiza.ru<\/strong> – 50.22.102.132
\nns4.forumibiza.ru<\/strong> – 213.251.171.30
\nns1.donkihotik.ru<\/strong> – 62.76.186.190
\nns2.donkihotik.ru<\/strong> – 84.22.100.108
\nns3.donkihotik.ru<\/strong> – 50.22.102.132
\nns4.donkihotik.ru<\/strong> – 213.251.171.30
\nns1.finitolaco.ru<\/strong> – 85.143.166.170
\nns2.finitolaco.ru<\/strong> – 132.248.49.112
\nns3.finitolaco.ru<\/strong> – 84.22.100.108
\nns4.finitolaco.ru<\/strong> – 213.251.171.30<\/p>\n

Webroot SecureAnywhere<\/strong><\/a>\u00a0users are proactively protected from these threats.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Sticking to their well proven practice of systematically rotating impersonated brands, the cybercriminals behind a huge majority of the malicious campaigns that we’ve been profiling recently are once again impersonating Intuit in an attempt to trick its customers into clicking on links exposing them to the client-side exploits served by the Black Hole Exploit Kit. […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[6187,6177,12407,12537,12539,11733,11729,12543,12535,6189,12437,12547,11737,11735,11731,12541,12533,12545,11747,11745],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8852"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=8852"}],"version-history":[{"count":4,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8852\/revisions"}],"predecessor-version":[{"id":25551,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8852\/revisions\/25551"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=8852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=8852"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=8852"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=8852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}