Buy now and install on all your devices from one easy email. X

Care Enough to Send the Very Worst

Cybercriminals resume spamvertising bogus greeeting cards, serve exploits and malware

Remember the recently profiled 123greetings.com themed malicious campaign?

It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URls in a clear attempt to improve their click-through rates.

More details:

Sample screenshot of the spamvertised email:

Sample spamvertised email

Sample screenshot of the Java script redirection:

Sample of the javascript redirection

Sample spamvertised compromised URls: hxxp://sheregesh-nsk.ru/modules/mod_wp/capo.html; hxxp://avto-optic.ru/modules/mod_wp/gree.html; hxxp://anime-nsk.ru/modules/mod_wp/gree.html; hxxp://115.47.73.66/gree.html; hxxp://bjflm.cn/gree.html; hxxp://qichepeijianwang.com/gree.html; hxxp://avtodicki.ru/modules/mod_wp/capo.html

Sample Black Hole exploit kit landing URL: hxxp://monstercompanionsbonuses.info/main.php?page=18bd34ba262669f3

Detection rate for a sample Java script redirection: MD5: 75e030e741875d29f12b179f2657e5fd – detected by 5 out of 42 antivirus scanners as Trojan.JS.Iframe.aby; Trojan.Webkit!html

Upon successful client-side exploitation, the campaign drops MD5: 864e1dec051cbd800ed59f6f91554597 – detected by 3 out of 42 antivirus scanners as W32/Yakes.AP!tr

Once executed, the malware phones back to 216.38.12.158:8080/mx/5/B/in (recipe.devrich.com, AS32181). Another domain is known to have been responding to the same IP in the past, namely, hxxp://imanuilletapchenko.ru:8080/html/yveveqduclirb1.php

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Past Newsletters

2014 Newsletters
March Newsletter
June Newsletter
2013 Newsletters
October Newsletter
July Newsletter
April Newsletter
January Newsletter
2012 Newsletters
December Newsletter
November Newsletter
October Newsletter
September Newsletter
August Newsletter
July Newsletter
June Newsletter
May Newsletter
April Newsletter
March Newsletter
February Newsletter
January Newsletter
2011 Newsletters
December Newsletter
November Newsletter
October Newsletter
September Newsletter
August Newsletter
July Newsletter
June Newsletter