Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://www.kulturszalon.hu/cmplinfo.html; hxxp://plastonline.expopage.net/cmplinfo.html; hxxp://holmgard.ru/bbbcmpln.html; hxxp://www.resgroup.com/cmplinfo.html; hxxp://fatherandy.com/cmplinfo.html; hxxp://luxense.eu/bbbcmpln.html; hxxp://sauter-vvp.de/cmplinfo.htmlhxxp://lrhmedia.com/bbbcmpln.html; hxxp://stsmc.org/cmplinfo.html; hxxp://kulturszalon.hu/cmplinfo.html; hxxp://fajnybazar.cz/cmplinfo.html; hxxp://caselle-vpn.net/cmplinfo.html; hxxp://intranet.sextaconcepcion.cl/cmplinfo.html; hxxp://www.stsmc.org/cmplinfo.html; hxxp://philipsambisound.info/cmplinfo.html; hxxp://www.resgroup.com/cmplinfo.html; hxxp://www.j-channel.ch/cmplinfo.html; hxxp://eaglemailboxsales.com/cmplinfo.html; hxxp://www.teratec.co.il/cmplinfo.html; hxxp://www.azmp.ru/cmplinfo.html; hxxp://znamenie.com/cmplinfo.html; hxxp://star-crep.it/bbbcmpln.htmlhxxp://mignonnettes.it/bbbcmpln.html

Sample client-side exploits serving URL: hxxp://samplersmagnifyingglass.net/detects/confirming_absence_listing.php – 183.81.133.121, AS38442 – Email: jap_gazo8262@fansonlymail.com

Although I wasn’t able to obtain the actual malicious payload from this campaign, it’s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):

2012-10-16 00:24:08 – hxxp://navisiteseparation.net/detects/processing-details_requested.php
2012-10-12 11:19:37 – hxxp://editdvsyourself.net/detects/beeweek_status-check.php

Responding to the same IP (183.81.133.121) are also the following malicious domains:
stafffire.net
hotsecrete.net – Email: counseling1@yahoo.com
the-mesgate.net – also responds to 208.91.197.54 – Email: admin@newvcorp.com

Name servers used in the campaign:
Name Server: NS1.TOPPAUDIO.COM – 91.216.93.61 – Email: windowclouse@hotmail.com
Name Server: NS2.TOPPAUDIO.COM – 29.217.45.138 – Email: windowclouse@hotmail.com

We’ll continue monitoring the campaigns launched by this group, and post updates as soon as new campaigns are launched.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This