Cybercriminals are currently spamvertising millions of emails impersonating Intuit, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.

The emails pretend to be coming from Intuit’s PaymentNetwork and acknowledge the arrival of an incoming payment. In reality though, they redirect users to a Black Hole exploit kit landing URLs where client-side exploits are served, and ultimately malware is dropped on the infected hosts.

More details:

Screenshot of the spamvertised Intuit themed malicious email:

Upon clicking on the links found in the email, users are exposed to the following bogus “Page loading…” page:

Spamvertised URLs: hxxp://sklep.kosmetyki-nel.pl/intpmt.htmlhxxp://kuzeybebe.com/o3whbp0G/index.htmlhxxp://senzor.rs/prolintu.html

Client-side exploits serving URLs: hxxp://69.194.194.238/view.php?s=2acc7093df3a2945hxxp://proamd-inc.com/main.php?page=8cb1f95c85bce71bhxxp://thaidescribed.com/main.php?page=8cb1f95c85bce71b

Client-side exploits served: CVE-2010-1885

Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8 on the exploited hosts. The sample is detected by 29 out of 41 antivirus scanners as Worm.Win32.Cridex.fb; Worm:Win32/Cridex.B

Upon execution, the sample phones back to renderingoptimization.info – 87.255.51.229, Email: pauletta_carbonneau2120@quiklinks.com on port 443.

Here is information on Intuit’s Online Security Center about this threat.

Webroot SecureAnywhere users are proactively protected from the client-side exploitation.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This