Over the past week, cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses.
Once users click on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit.
More details:
Sample screenshot of the spamvertised email:
Second screenshot of the spamvertised email impersonating Amazon.com Inc:
Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:
Sample subjects used in the spamvertised emails: Re: HD TV Waiting on delivery Few hours ago; Your HDTV Delivered Now; Re: HDTV Processed Yesterday; Re: Order Processed Today; Your Order Approved Few hours ago
Sample compromised URLs used in the malicious campaign: hxxp://manxwoman.net/administrator/amazinhdtv.html; hxxp://shuraki.com/wp-admin/hdtvamazon.html; hxxp://hagigim.net/wp-admin/hdtvamazon.html; hxxp://localsearchtrafficnow.com/wp-admin/hdtvamazon.html; hxxp://aclcinema.com/wp-admin/hdtvamazon.html; hxxp://mulberryhandbags.net/images/hdtvamazon.html; hxxp://doomsdaypreppersplan.com/wp-admin/hdtvamazon.html; hxxp://christiaanse-taxateur.nl/wp-admin/hdtvamazon.html; hxxp://institutobiblicosanpablo.org/site/amazinhdtv.html; hxxp://lacastalia.com/scripts/amazinhdtv.html; hxxp://twoshakes.ca/wp-admin/amazinhdtv.html; hxxp://quangcaowebtrengoogle.com/administrator/amazinhdtv.html; hxxp://vedsoft.info/wp-admin/amazinhdtv.html; hxxp://kineticenergix.com/wp-admin/amazinhdtv.html; hxxp://smescement.ru/3dhdtvordr.html; hxxp://j-goods.us/3dhdtvordr.html; hxxp://xn--nietypowe-meble-na-zamwienie-6zc.pl/3dhdtvordr.html
Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830 detected by 20 out of 43 antivirus scanners as JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael
Client-side exploitation URL: hxxp://webgrafismo.net/detects/rates-event_convinced-sent.php; hxxp://webgrafismo.net/detects/rates-event_convinced-sent.php?bve=3406073633&prny=3949&cmarvjgs=qqfngaf&gugrxt=qrs; hxxp://pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php
Once a successful client-side exploitation takes place, the Black Hole Exploit kits drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab that’s exploiting the CVE-2010-0188 vulnerability.
Webroot SecureAnywhere users are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
