Cybercriminals newest spamvertised malware campaign is brand-jacking Verizon Wireless in an attempt to trick end users into clicking on the malicious links embedded in the email.
More details:
The campaign is relying on thousands of compromised legitimate web sites, where a tiny javascript file (.js) is hosted in an attempt to trick web reputation filters into thinking the content is served from a legitimate web sites. The campaign is ultimately redirecting to a BlackHole web malware exploitation kit at hxxp://slickcurve.com/showthread.php?t=d7ad916d1c0396ff which drops the following MD5: 99FAB94FD824737393F5184685E8EDF2.
It’s being launched by the same cybercriminals that launched last week’s “Malicious USPS-themed emails circulating in the wild” campaign, as both campaigns share the same directory/exploit-serving structure.
The MD5 is using the following dropzone for sending back the intercepted accounting data from the infected PCs – hxxp://176.28.18.135:8080/pony/gate.php Now where have we seen this IP before? In last week’s “Spamvertised LinkedIn notifications serving client-side exploits and malware” malware campaign where 176.28.18.135 was serving client-side exploits through the BlackHole web malware exploitation kit.
The MD5 also attempts to contact the following dropzones is 176.28.18.135 is unavailable:
- hxxp://85.214.243.87:8080/pony/gate.php
- hxxp://88.85.99.44:8080/pony/gate.php
It also downloads a copy of the ZeuS crimeware, using the following MD5: 86A548CADA5636B4A8ED7DE5F654FF96
Webroot security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this ongoing threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
Sorry need to speak in laymans’ terms. What would the Verizon themed ‘your bill is now available’ actually do to my pc? And since I have webroot would I be protected from this? As I had something infect my contact list twice in the past two months and send out bogus/spam emails to all of my contacts with links. I’m guessing something may have slipped past the security?
Hi Betty,
Basically, once the client-side exploitation take place, a copy of the Pony malware will be dropped on the infected hosts. It will actively look for accounting data on the infected PC and send it back to the cybercriminals. It will then downloading its secondary payload, which in this case is the ZeuS crimeware aiming to steal online banking credentials and hijack online banking sessions.
Even if Webroot SecureAnywhere somehow missed any of the malicious files participating in the campaign, its behavior-blocking technology would pick up the malicious attempts to execute, and block them.
Thanks,
Dancho