Cybercriminals are currently spamvertising yet another social-engineering driven malicious email campaign, this time impersonating U.S Airways.
Upon clicking on the malicious links found in the emails, end and corporate users are exposed to client-side exploits courtesy of the BlackHole web malware exploitation kit.
More details:
Spamvertised subjects: US Airways online check-in, US Airways reservation confirmation, Confirm your US airways online reservation, US Airways online check-in confirmation
Message: You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After that, all you have to do is print your boarding pass and go to the gate. Confirmation code: 250462 Check-in online: Online reservation details
Spamvertised malicious URL: hxxp://goldapnews.pl/zh6jPwn1/index.html
Once the users click on the malicious links found in the email, an obfuscated javascript code will attempt to load from multiple compromised web servers in an attempt to redirect the users to the client-side exploits serving URL courtesy of the BlackHole web malware exploitation kit.
Go through related posts:
- Researchers intercept two client-side exploits serving malware campaigns
- Researchers intercept a client-side exploits serving malware campaign
Compromised URLs, part of the campaign (the affected web sites are currently in a process of cleaning up their compromised domains, and therefore they are currently serving a HTTP/1.1 404 Not Found error message:
hxxp://alasinmedia.pp.fi/8qeXM1Kx/js.js
hxxp://boxpluss.com/00o6FfJc/js.js
hxxp://raja-sms.com/roLcnvNu/js.js
The campaign is attempting to exploit end and corporate users using the following vulnerabilities – Libtiff integer overflow in Adobe Reader and Acrobat (also known as CVE-2010-0188) and Help Center URL Validation Vulnerability (also known as CVE-2010-1885).
Client-side exploitation directory structure for the campaign:
hxxp://goldapnews.pl/zh6jPwn1/index.html – compromised legitimate web site
hxxp://66.151.244.191/showthread.php?t=73a07bcb51f4be71 – compromised game server
hxxp://66.151.244.191/data/ap2.php?f=4203d – compromised game server
IP Information for 66.151.244.191:
Resolves to v-66-151-244-191.unman-vds.internap-dallas.nfoservers.com
Hosted in the: United States
AS: AS12179, INTERNAP-2BLK Internap Network Services
According to independent sources, 66.151.244.191 was previously used as a game server, indicating a possible compromise by the cybercriminals behind this ongoing campaign.
The campaign ultimately drops the following malicious executable – MD5: 340f5884390ddcc42837078d63b6f293
Based on the campaign’s structure, it’s launched by the same gang of cybercriminals that recently launched the following campaigns “Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware” ; “Spamvertised LinkedIn notifications serving client-side exploits and malware“.
Webroot expects the gang will continue to diversifying the market segment of the brand-jacked companies, and to continue relying on the fact, that end and corporate users continue using the Web, while relying on outdated versions of their third-party software, and browser plugins.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
