American Airlines customers, watch where you click! Cybercriminals are currently spamvertising millions of emails impersonating the company in an attempt to trick end and corporate users into clicking on the malicious links found in the spamvertised email.
Upon execution, the campaign redirects users to a Black Hole exploit kit landing URL, where client-side exploits are served against outdated third-party software and browser plugins.
More details:
Screenshots of a sample spamvertised email:
Once users click on any of the links in the spamvertised email, they are exposed to the following fake “Page loading…” page:
Spamvertised URLs: hxxp://luxify.net/wp-admin/aair.html redirects to -> hxxp://princess-sales.net/main.php?page=7e45713861176c6b (203.237.211.223) or hxxp://ghanarpower.net/main.php?page=8c6c59becaa0da07 (203.237.211.223)
Upon successful client-side exploitation of CVE-2010-1885, the Black Hole exploit kit drops the following MD5 on infected hosts: MD5: c70d309171d9844f331081b3c3d80ff
Detection rate: Detected by 25 out of 42 antivirus scanners as Trojan.Generic.KDV.664936; Worm:Win32/Cridex.E
Upon execution, the sample phones back to 210.56.23.100:8080/za/v_01_b/in/
Responding to 210.56.23.100, AS7590, COMSATS Commission on Science and Technology for Sustainable Development in the South, are the following command and control servers:
cpojkjfhotzpod.ru
upjachkajasamns.ru
cruoinaikklaoifpa.ru
sumgankorobanns.ru
fedikankamolns.ru
ciontooabgooppoa.ru
caskjfhlkaspsfg.ru
csoaspfdpojuasfn.ru
amanarenapussyns.ru
cparabnormapoopdsf.ru
cjhsdvbfbczuet.ru
caoodntkioaojdf.ru
clkjshdflhhshdf.ru
zolindarkksokns.ru
cnnvcnsaoljfrut.ru
cruikdfoknaofa.ru
cjiahkhklflals.ru
dinamitbtzusons.ru
cjjasjjikooppfkja.ru
ckjsfhlasla.ru
kroshkidlahlebans.ru
ckjhasbybnhdjf.ru
xspisokdomenidgmens.ru
dkijhsdkjfhsdf.ru
dhjikjsdhfkksjud.ru
dsakhfgkallsjfd.ru
dphsgdfisgdfsdf.ru
dkjhfkjsjadsjjfj.ru
debiudlasduisioa.ru
dpasssjiufjkaksss.ru
doorpsjjaklskfjak.ru
dnvfodooshdkfhha.ru
xstriokeneboleeodgons.ru
dpaoisosfdhaopasasd.ru
rushsjhdhfjsldif.su
dkjhasjllasllalaa.ru
puidhfhhaoadans.su
somaniksuper.ru
superproomgh.ru
samsonikonyou.ru
phfhshdjsjdppns.su
dhjhgfkjsldkjdj.ru
poosdfhhsppsdns.su
insomniacporeed.ru
The name servers infrastructure of these domains is parked at the following IPs 94.63.147.96; 171.25.190.249; 188.116.32.177
Webroot SecureAnywhere users are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
I really like what you guys are usually up too.
This type of clever work and exposure! Keep up the great works guys I’ve
you guys to our blogroll.
Thanks for all your feedback! Glad you enjoy the information 🙂
If you would like to further participate with us, please join our Webroot Community where you can find solutions to all different kinds of problems and maybe even be able to help someone else yourself! We’d love to have you join.
https://community.webroot.com/
Contamos com uma audiência qualificada e interessada na aquisição de imóveis para
compra, locação, temporada ou análogo investimento.
Olá,
Entre em contato com nossa Equipe para obter mais assistência:
https://mysupport.webrootanywhere.com/supportwelcome.aspx?SOURCE=ENTERPRISEWSA
Atenciosamente,
Josh P.
Coordenador de Mídia Social