Think you’ve received an online greeting card from 123greetings.com? Think twice!
Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit.
What’s so special about this campaign? Can we connect it to previously spamvertised campaigns profiled at Webroot’s Threat Blog? Let’s find out.
More details:
Screenshot of the spamvertised email:
Upon clicking on any of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:
Obfuscated java script redirection:
Spamvertised malicious URLs: hxxp://bjflm.cn/postc.html; hxxp://minihotel74.com/pcard.html; hxxp://wowgame.net.cn/pcard.html; hxxp://phototula.ru/postc.html; hxxp://joanjoy.com/postc.html; hxxp://akrepilaclama.org/wp-content/plugins/akismet/greet.html; hxxp://vinointhevalley.com/wp-content/plugins/akismet/greet.html
Client-side exploits serving URLs: hxxp://remindingwands.org/main.php?page=861097b084221fd8 – 78.87.123.114; hxxp://voicecontroldevotes.info/main.php?page=6df8994172330e77; hxxp://immigrationunix.pro/main.php?page=28677a727aff0456
Client-side exploits served: CVE-2010-1885
Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 – detected by 25 out of 42 antivirus scanners as Trojan.Win32.Yakes.ansm; Mal/Katusha-I.
Upon successful execution, the sample phones back to 87.120.41.155:8080/mx5/B/in
More MD5s are known to have phoned back to the same command and control server, such as for instance:
MD5: b11421acddbfc94544482d1846ba6d97
MD5: 4e0053fe00b65627c07dc8c85c85a351
MD5: 90d1b3367e97f384af029b0f1674f7ff
MD5: d2be252de958b7435279c6e8f270de4e
87.120.41.155 is actually a name server offering DNS resolving services to related malicious and command and control servers part of the campaign such as:
spb-koalitia.ru
onerussiaboard.ru
mysqlfordummys.ru
online-gaminatore.ru
leprisoruim.ru
switched-games.ru
ipadvssonyx.ru
online-cammunity.ru
zenedin-zidane.ru
porschedesignrussia.ru
Associated malicious name servers part of the campaign’s infrastructure:
ns1.spb-koalitia.ru – 62.76.190.208
ns2.spb-koalitia.ru – 203.172.140.202
ns3.spb-koalitia.ru – 87.120.41.155
ns4.spb-koalitia.ru – 173.224.208.60
ns5.spb-koalitia.ru – 62.76.188.138
ns1.onerussiaboard.ru – 62.76.190.208
ns2.onerussiaboard.ru – 203.172.140.202
ns3.onerussiaboard.ru – 87.120.41.155
ns4.onerussiaboard.ru – 173.224.208.60
ns5.onerussiaboard.ru – 62.76.188.138
ns1.mysqlfordummys.ru – 62.76.190.208
ns2.mysqlfordummys.ru – 203.172.140.202
ns3.mysqlfordummys.ru – 87.120.41.155
ns4.mysqlfordummys.ru – 173.224.208.60
ns5.mysqlfordummys.ru – 62.76.188.138
ns1.online-gaminatore.ru – 62.213.64.161
ns2.online-gaminatore.ru – 85.143.166.243
ns3.online-gaminatore.ru – 41.66.137.155
ns4.online-gaminatore.ru – 184.106.189.124
ns5.online-gaminatore.ru – 203.172.140.202
ns6.online-gaminatore.ru – 87.120.41.155
ns1.leprisoruim.ru – 62.76.190.208
ns2.leprisoruim.ru – 203.172.140.202
ns3.leprisoruim.ru – 87.120.41.155
ns4.leprisoruim.ru – 173.224.208.60
ns5.leprisoruim.ru – 62.76.188.138
ns1.switched-games.ru – 62.213.64.161
ns2.switched-games.ru – 85.143.166.243
ns3.switched-games.ru – 41.66.137.155
ns4.switched-games.ru – 184.106.189.124
ns5.switched-games.ru – 203.172.140.202
ns6.switched-games.ru – 87.120.41.155
ns1.ipadvssonyx.ru => 62.76.190.208
ns2.ipadvssonyx.ru => 203.172.140.202
ns3.ipadvssonyx.ru => 87.120.41.155
ns4.ipadvssonyx.ru => 173.224.208.60
ns5.ipadvssonyx.ru => 62.76.188.138
ns1.online-cammunity.ru – 62.76.190.208
ns2.online-cammunity.ru – 203.172.140.202
ns3.online-cammunity.ru – 87.120.41.155
ns4.online-cammunity.ru – 173.224.208.60
ns5.online-cammunity.ru – 62.76.188.138
ns1.zenedin-zidane.ru – 62.213.64.161
ns2.zenedin-zidane.ru – 85.143.166.243
ns3.zenedin-zidane.ru – 41.66.137.155
ns4.zenedin-zidane.ru – 184.106.189.124
ns5.zenedin-zidane.ru – 203.172.140.202
ns6.zenedin-zidane.ru – 87.120.41.155
ns1.porschedesignrussia.ru – 62.213.64.161
ns2.porschedesignrussia.ru – 85.143.166.243
ns3.porschedesignrussia.ru – 41.66.137.155
ns4.porschedesignrussia.ru – 184.106.189.124
ns5.porschedesignrussia.ru – 203.172.140.202
ns6.porschedesignrussia.ru – 87.120.41.155
Related client-side exploits and malware serving URLs spamvertised in the same campaign, also drop MD5: cd0aac6df71fa28d4564406a24f7e1a2 – detected by 28 out of 42 antivirus scanners as Gen:Variant.Zusy.15382; P2P-Worm.Win32.Palevo.fbvx
The second sample phones back to 87.204.199.100:8080/mx5/B/in/ not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns, such as, for instance, the AT&T Billing Center impersonation one, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
This is a fraudulent email sent by an imposter. Do not click on the link or download the attachment.
123Greetings.com does not send any attachment or .exe file link in the email. There is no spurious software/ virus that are associated with any email that you receive from 123Greetings.com. All ecards that are sent using the 123greetings.com system are stored on the 123greetings.com servers. You do not have to install any software to send/ receive and view an ecard from our website.
Please click on the following FAQ links to know the difference between 1egitimate ecard emails from 123greetings.com and fraudulent emails sent by any imposter:
http://help.123greetings.com/How-to-tell-the-difference-between-good-and-bad-emails_157.html
http://help.123greetings.com/How-to-differentiate-between-legitimate-ecard-email-and-a-fraudulent-email_156.html
http://help.123greetings.com/Why-am-I-getting-a-Virus-Notice/exe-file-link-when-I-get-a-card-from-123greetingscom_19.html
Note: Please send us the received email as an attachment with full email header part, enabling us to investigate and to take necessary action against the imposter.
Please click on the following link to know how to get an email header. http://www.spamcop.net/fom-serve/cache/19.html
123Greetings.com is trying hard to stop these spamming activities by complaining to the respective authorities to block the spam originated IPs.
THANK YOU FOR WATCHING OUR BACKS~~~~and also for daily watching my computers!!!!!! you are the nest!!!!
MERRY X’TMAS AND A HAPPY NEW YEAR!!!!