Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
More details:
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign: hxxp://www.kulturszalon.hu/cmplinfo.html; hxxp://plastonline.expopage.net/cmplinfo.html; hxxp://holmgard.ru/bbbcmpln.html; hxxp://www.resgroup.com/cmplinfo.html; hxxp://fatherandy.com/cmplinfo.html; hxxp://luxense.eu/bbbcmpln.html; hxxp://sauter-vvp.de/cmplinfo.html; hxxp://lrhmedia.com/bbbcmpln.html; hxxp://stsmc.org/cmplinfo.html; hxxp://kulturszalon.hu/cmplinfo.html; hxxp://fajnybazar.cz/cmplinfo.html; hxxp://caselle-vpn.net/cmplinfo.html; hxxp://intranet.sextaconcepcion.cl/cmplinfo.html; hxxp://www.stsmc.org/cmplinfo.html; hxxp://philipsambisound.info/cmplinfo.html; hxxp://www.resgroup.com/cmplinfo.html; hxxp://www.j-channel.ch/cmplinfo.html; hxxp://eaglemailboxsales.com/cmplinfo.html; hxxp://www.teratec.co.il/cmplinfo.html; hxxp://www.azmp.ru/cmplinfo.html; hxxp://znamenie.com/cmplinfo.html; hxxp://star-crep.it/bbbcmpln.html; hxxp://mignonnettes.it/bbbcmpln.html
Sample client-side exploits serving URL: hxxp://samplersmagnifyingglass.net/detects/confirming_absence_listing.php – 183.81.133.121, AS38442 – Email: jap_gazo8262@fansonlymail.com
Although I wasn’t able to obtain the actual malicious payload from this campaign, it’s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):
2012-10-16 00:24:08 – hxxp://navisiteseparation.net/detects/processing-details_requested.php
2012-10-12 11:19:37 – hxxp://editdvsyourself.net/detects/beeweek_status-check.php
Responding to the same IP (183.81.133.121) are also the following malicious domains:
stafffire.net
hotsecrete.net – Email: counseling1@yahoo.com
the-mesgate.net – also responds to 208.91.197.54 – Email: admin@newvcorp.com
Name servers used in the campaign:
Name Server: NS1.TOPPAUDIO.COM – 91.216.93.61 – Email: windowclouse@hotmail.com
Name Server: NS2.TOPPAUDIO.COM – 29.217.45.138 – Email: windowclouse@hotmail.com
- stafffire.net seen in – “Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“
- hotsecrete.net seen in – “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“
- the-mesgate.net seen in – “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“
- NS1.TOPPAUDIO.COM and NS2.TOPPAUDIO.COM seen in – “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“; “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit“
We’ll continue monitoring the campaigns launched by this group, and post updates as soon as new campaigns are launched.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
