Cybercriminals are currently spamvertising millions of emails impersonating the popular Craigslist site, in an attempt to trick users into clicking on client-side exploits and malware serving URLs courtesy of the Black Hole exploit kit.
More details:
Screenshot of the spamvertised email:
Spamvertised URls: hxxp://institut66.fr/genidpo.html; hxxp://tomix.cal24.pl/lidcr.html; hxxp://well-ship.com/genidpo.html; hxxp://www.windscreen-wiper.com/lidcr.html; hxxp://wzm1982.com.cn/lidcr.html; hxxp://iconnectzone.com/wp-includes/waral.html
Client-side exploits serving URL: hxxp://historyalmostany.org/main.php?page=ed0a25d616022c57 – 221.131.129.200
Upon clicking on the links, users are exposed to the following bogus “Page loading…” page: 
Client-side exploits served: CVE-2010-1885
Detection rate for a sample malicious Javascript redirection script with MD5: 89b7b3834aeee20658d04adccfe61438, and detection rate for a sample malicious script found on a landing URL with MD5: 50e000b7d2d990951d4588c8e2147ceb
Upon successful client-side exploitation the campaign drops MD5: ffa297ff8f942dc65db5290311799bf6 detected by 3 out of 41 antivirus scanners as Trojan.PWS.Panda.2523; Malware.Cridex.
Once executed, the sample phones back to 87.204.199.100/mx5/in/ on port 8080.
Responding to 87.204.199.100 are the following command and control servers used in the malicious campaign:
nolwzyzsqkhjkqhomc.ru
eoicszuwkjskhvki.ru
mceglkuyhzvzjxbj.ru
wbgguucrbkrkjftn.ru
usepaxvulfdtnwiwwk.ru
sushfpappsbf.ru girlsnotcryz.ru
monashkanasene.ru
harmoniavslove.ru
huletydyshish.ru
piloramamoskow.ru
hamlovladivostok.ru
spbfotomontag.ru
forumenginesspb.ru
insomniacporeed.ru
ns1.inetgo.pl
ns2.inetgo.pl
psychoza.eu
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
