American Airlines customers, watch where you click! Cybercriminals are currently spamvertising millions of emails impersonating the company in an attempt to trick end and corporate users into clicking on the malicious links found in the spamvertised email.

Upon execution, the campaign redirects users to a Black Hole exploit kit landing URL, where client-side exploits are served against outdated third-party software and browser plugins.

More details:

Screenshots of a sample spamvertised email:

Once users click on any of the links in the spamvertised email, they are exposed to the following fake “Page loading…” page:

Spamvertised URLs: hxxp://luxify.net/wp-admin/aair.html redirects to -> hxxp://princess-sales.net/main.php?page=7e45713861176c6b (203.237.211.223) or hxxp://ghanarpower.net/main.php?page=8c6c59becaa0da07 (203.237.211.223)

Upon successful client-side exploitation of CVE-2010-1885, the Black Hole exploit kit drops the following MD5 on infected hosts: MD5: c70d309171d9844f331081b3c3d80ff

Detection rate: Detected by 25 out of 42 antivirus scanners as Trojan.Generic.KDV.664936; Worm:Win32/Cridex.E

Upon execution, the sample phones back to 210.56.23.100:8080/za/v_01_b/in/

Responding to 210.56.23.100, AS7590, COMSATS Commission on Science and Technology for Sustainable Development in the South, are the following command and control servers:

cpojkjfhotzpod.ru
upjachkajasamns.ru
cruoinaikklaoifpa.ru
sumgankorobanns.ru
fedikankamolns.ru
ciontooabgooppoa.ru
caskjfhlkaspsfg.ru
csoaspfdpojuasfn.ru
amanarenapussyns.ru
cparabnormapoopdsf.ru
cjhsdvbfbczuet.ru
caoodntkioaojdf.ru
clkjshdflhhshdf.ru
zolindarkksokns.ru
cnnvcnsaoljfrut.ru
cruikdfoknaofa.ru
cjiahkhklflals.ru
dinamitbtzusons.ru
cjjasjjikooppfkja.ru
ckjsfhlasla.ru
kroshkidlahlebans.ru
ckjhasbybnhdjf.ru
xspisokdomenidgmens.ru
dkijhsdkjfhsdf.ru
dhjikjsdhfkksjud.ru
dsakhfgkallsjfd.ru
dphsgdfisgdfsdf.ru
dkjhfkjsjadsjjfj.ru
debiudlasduisioa.ru
dpasssjiufjkaksss.ru
doorpsjjaklskfjak.ru
dnvfodooshdkfhha.ru
xstriokeneboleeodgons.ru
dpaoisosfdhaopasasd.ru
rushsjhdhfjsldif.su
dkjhasjllasllalaa.ru
puidhfhhaoadans.su
somaniksuper.ru
superproomgh.ru
samsonikonyou.ru
phfhshdjsjdppns.su
dhjhgfkjsldkjdj.ru
poosdfhhsppsdns.su
insomniacporeed.ru

The name servers infrastructure of these domains is parked at the following IPs 94.63.147.96; 171.25.190.249; 188.116.32.177

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This