American Express cardholders, beware!
Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the Black Hole Exploit Kit.
More details:
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign: hxxp://www.xn--snren-wua.net/amextrfail.html; hxxp://www.stellarkids.net/amextrfail.html; hxxp://abakus-baby.com/amextrfail.html; hxxp://www.balatonok.hu/amextrfail.html; hxxp://www.ardiabetes.org/amextrfail.html; hxxp://xfrz.cn/amextrfail.html; hxxp://kinga-aco.studiopresent.info/amextrfail.html; http://www.intech74.ru/amextrfail.html; http://wanpra.com/amextrfail.html; http://qr-codes.pedromorales.com/amextrfail.html; hxxp://relationshipcentral.org.my/amextrfail.html; hxxp://svetled.net/amextrfail.html; hxxp://plateenforcer.com/amextrfail.html; hxxp://marko.jumpquick.com/amextrfail.html; hxxp://familyfiles.joeinfo.org/amextrfail.html; hxxp://vawip.sapint.org/amextrfail.html; hxxp://www.xn--snren-wua.net/amextrfail.html; hxxp://uni-formsandservices.com/amextrfail.html; hxxp://www.svma.sd/amextrfail.html; hxxp://www.ardiabetes.org/amextrfail.html
Client-side exploits serving URLs: hxxp://stempare.net/detects/suited_awful_infinite_estimate.php; hxxp://stempare.net/detects/suited_awful_infinite_estimate.php?azfqtl=3833043409&zwe=47&wfamk=05340237360403353407&htks=0a000300040002
Malicious domain name reconnaissance:
stempare.net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228@i-connect.com
Name Server: NS1.TOPPAUDIO.COM – 91.216.93.61, AS50300 – Email: windowclouse@hotmail.com
Name Server: NS2.TOPPAUDIO.COM – 29.217.45.138 – Email: windowclouse@hotmail.com
We’ve already seen these name servers in the recently profiled “‘Your Discover Card Services Blockaded’ themed emails lead to Black Hole Exploit Kit“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“, indicating that all of these campaigns are managed by a single cybercriminal/gang of cybercriminals.
Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 – detected by 2 out of 44 antivirus scanners as Trojan.Win32.Bublik.ptf.
Upon execution, the dropped malware requests a connection to 192.5.5.241:8080 and then establishes a connection with 210.56.23.100:8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata.org. It is currently blacklisted in 25 anti-spam lists.
The following URLs are known to have directly serving malicious content, and act as command and control servers in the past:
210.56.23.100:8080/asp/intro.php
210.56.23.100:8080/za/v_01_a/in
The following malicious URLs are known to have responsed to the same IP:
hxxp://poluicenotgo.ru:8080/internet/at.php?i=15
hxxp://uiwewsecondary.ru:8080/internet/fpkrerflfvd.php
hxxp://webmastaumuren.ru:8080/navigator/jueoaritjuir.php
hxxp://dedovshinaus.su:8080/pages/dq.php?i=15
hxxp://rushsjhdhfjsldif.su:8080/images/aublbzdni.php
hxxp://xstriokeneboleeodgons.ru:8080/images/jw.php?i=3D8
hxxp://debiudlasduisioa.ru/
hxxp://dkjhfkjsjadsjjfj.ru:8080/images/aublbzdni.php
hxxp://ckjsfhlasla.ru:8080/images/kobzfoivdpdzilx.php
hxxp://zolindarkksokns.ru:8080/images/jw.php?i=2
hxxp://caskjfhlkaspsfg.ru/images/dpcobsyscrctbt.jar
hxxp://csoaspfdpojuasfn.ru:8080/images/xqyndrbualfl.swf
The last time we came across this IP (210.56.23.100), was in July 2012’s analysis of yet another malicious campaign, this time impersonating American Airlines.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
