A cybercriminal/group of cybercriminals that’s been responsible for a series of malware attacks that I’ve been recently profiling, continues to systematically rotate the impersonated brands and the actual malicious payload dropped by the market leading Black Hole Exploit Kit. The prospective target of their latest campaign? PayPal users.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://smksapg.edu.my/acschanged.html; hxxp://kylecommunity.com/acschanged.html; hxxp://tonymerritt.com/acschanged.html;  hxxp://gorod-sport.ru/acschanged.html; hxxp://family.joeinfo.org/acschanged.html; hxxp://sabaevo.ru/acschanged.html; hxxp://www.dzivebezzalem.lv/acschanged.html; hxxp://www.eqtv.com.ar/acschanged.html; hxxp://consultancy.jcsinvestment.com/acschanged.html; hxxp://www.ilampokhari.co.uk/acschanged.html; hxxp://sonnen- ernte.de/acschanged.html; hxxp://www.dzivebezzalem.lv/acschanged.html; hxxp://www.modelzwerge.de/acschanged.html; hxxp://wiggleeyes.pedromorales.com/acschanged.html; hxxp://aloeweb.cl/acschanged.html; hxxp://yuriy.at/acschanged.html; hxxp://www.llv.lichlamviec.com/acschanged.html; hxxp://ipadcover.ru/acschanged.html; hxxp://www.robertguyser.com/wp-content/themes/twentyten/ppacchanges.html; hxxp://partnerzy.net/wp-content/plugins/ppacchanges.html; hxxp://www.ufec.info/wp-content/plugins/akismet/ppacchanges.html; hxxp://msinventors.org/wp-content/plugins/akismet/ppacchanges.html; hxxp://www.textranetwork.com/wp-content/plugins/akismet/ppacchanges.html; hxxp://sclics.com/wp-content/plugins/akismet/ppacchanges.html; hxxp://www.passwork.org/wp-content/plugins/akismet/ppacchanges.html

Client-side exploits serving URL: hxxp://puzzledbased.net/detects/suited_awful_infinite_estimate.php; hxxp://packleadingjacket.org/detects/hidden-temperature.php

Malicious domain name reconnaissance: puzzledbased.net – 183.180.134.217, AS2519 – Email: rodger_covach3060@spacewar.com

Name Server: NS1.TOPPAUDIO.COM
Name Server: NS2.TOPPAUDIO.COM

packleadingjacket.org – 62.116.181.25

Name Server: ns1.chelseafun.net
Name Server: ns2.chelseafun.net

Although we couldn’t reproduce puzzledbased.net’s malicious activity, we know for certain that on 2012/11/01 at 15:19, hxxp://netgear-india.net/detects/discover-important_message.php was responding to the same IP. We’ve already seen and profiled the malicious activity of the campaign using this URL in the “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“ analysis.

Moreover, we’ve also seen the same name servers (NS1.TOPPAUDIO.COM; NS2.TOPPAUDIO.COM) used in a series of recently profiled campaigns, once again launched by the same cybercriminal/gang of cybercriminals. The campaigns in question are: “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “Your Discover Card Services Blockaded’ themed emails lead to Black Hole Exploit Kit“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“.

The name servers (ns1.chelseafun.net; ns2.chelseafun.net) used by the most recently used client-side exploits serving domain, have also been seen in the following previously profiled malicious campaigns – “‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“.

The following malicious domains are also part of the campaign’s infrastructure and respond to the same IP (183.180.134.217) as the client-side exploits serving domains:

rovo.pl
itracrions.pl
superdmntre.com
chicwhite.com
radiovaweonearch.com
strili.com
superdmntwo.com
unitmusiceditior.com
newtimedescriptor.com
steamedboasting.info
solla.atvotela.net
stempare.net
tradenext.net
bootingbluray.net

The following malicious domain (stempare.net) was also seen in the recently profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware” campaign, indicating yet another connection between these campaigns.

We’ve also seen steamedboasting.info in the following recently profiled malicious campaigns – “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“.

PayPal is a commonly impersonated brand by a lot of cybercriminals. In fact, some of them are so efficient in the process of obtaining PayPal accounting data, that they launch online shops targeting fellow cybercriminals who are interested in purchasing the fraudulently obtained data. We’ve also seen the brand impersonated in a series of malicious attacks:

• PayPal ‘Notification of payment received’ themed emails serve malware
• Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit
• Spamvertised ‘Confirm PayPal account” notifications lead to phishing sites
• Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware
• Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware
• Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit kit

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.