On a daily basis, we intercept hundreds of thousands of fraudulent or malicious emails whose purpose is to either infect users with malicious software or turn them into victims of fraudulent schemes. About 99% of these campaigns rely on social engineering tactics, and in the cases where they don’t include direct links to the actual malware, they direct users to the market leading Black Hole Exploit Kit.
In terms of volume and persistence, throughout January, 2013, a single malicious campaign impersonating FedEx topped our metrics data. What’s so special about this campaign? It’s the fact that the digital fingerprint of one of the most recently introduced malware variants used in the campaign corresponds to the digital fingerprint of a malware-serving campaign that we’ve already profiled, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.
Sample screenshot of the spamvertised email:
Sample spamvertised compromised URLs part of the campaign:
hxxp://relax-legend.ba/ZXSZUSBLZG.php?receipt
hxxp://stylephone.co.il/misc/teasers.php?receipt
hxxp://voguepay.com/FEZDVUUCLG.php?receipt=
hxxp://sunrisemedya.com/HAEJMKGUMT.php?receipt
hxxp://sunseekerownersclub.com/OOLZRZQTIW.php?receipt
hxxp://selimi-fugenabdichtungen.de/IYSZJVVIRA.php?receipt
hxxp://sunseekerownersclub.com/OOLZRZQTIW.php?receipt
hxxp://www.cursillodeorientacion.com/OLKIHLKYSB.php?receipt
hxxp://www.diocesebatroun.org/UEKFWHOJPF.php?receipt
hxxp://suarevista.com.br/QGQRXAOJLV.php?receipt
hxxp://fundloan.info/AYKQRUYOSL.php?receipt
hxxp://secretmobilemoneyprofits.com/SCTQOFXHVC.php?php=receipt
hxxp://www.matwigley.co.uk/SOJAJDTLAX.php?php=receipt
hxxp://rossiangelo.it/ALAGZUCWHV.php?receipt
hxxp://tqm.com.ua/misc/teasers.php?receipt
hxxp://metalphotosplus.com/PAUDSPBBXE.php?receipt
hxxp://businesscoaching24.com/BWMIZNPQAT.php?receipt
hxxp://www.bsf.org.pk/misc/teasers.php?get_receipt
hxxp://ferz.kiev.ua/misc/teasers.php?get_receipt
Detection rate for the malware variants distributed over the past 24 hours:
MD5: 980ffe6cee6ad5a197fbebdeeac9df57 – detected by 31 out of 46 antivirus scanners as Trojan-Downloader.Win32.Kuluoz.amg
MD5: bf061265407ea1f7c21fbf5f545c4c2b – detected by 6 out of 46 antivirus scanners as PAK_Generic.001
MD5: 6bb823d87f99da067e284935ca3a8b14 – detected by 36 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
MD5: 75db84cfb0e1932282433cdb113fb689 – detected by 29 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
Deja vu! This is the same MD5: 75db84cfb0e1932282433cdb113fb689 that we profiled in the “Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware” analysis, indicating a (thankfully) low QA (Quality Assurance) applied on behalf of the cybercriminals launching these campaigns.
The campaign is ongoing, so watch what you click on! Webroot SecureAnywhere users are proactively protected from these threats with our comprehensive internet security solution.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
Yes, I just got one of these emails today I searched the tracking number on fedex site and there was none to be found just as i thought as i haven’t ordered anything i am waiting for .. do NOT click on the “PRINT RECEIPT” button link as it will allow virus or trojans to enter your computer and infect it… the blokes, why do they waste their time on this!