Spamvertised CareerBuilder themed emails serving client-side exploits and malware


By Dancho Danchev

End and corporate users, and especially CareerBuilder users, beware!

Cybercriminals are currently spamvertising millions of emails impersonating the popular jobs portal CareerBuilder in an attempt to trick users into  clicking on client-side exploits serving links.

The current campaign, originally circulating in the wild since 26 Apr, 2012, is a great example of a lack of QA (quality assurance) since they’re spamvertising a binary that’s largely detected by the security community.

More details:

Spamvertised URL: hxxp://karigar.in/car.html

Client-side exploits served: CVE-2010-0188 and CVE-2010-1885

Malicious client-side exploitation chain: hxxp://karigar.in/car.html ->  hxxp://masterisland.net/main.php?page=975982764ed58ec3 ->  hxxp://masterisland.net/data/ap2.php sometimes  hxxp://strazdini.net/main.php?page=c6c26a0d2a755294 is also included in the redirection

Upon successful exploitation drops the following MD5: 518648694d3cb7000db916d930adeaaf

Upon execution it phones back to the following URLs/domains:
zorberzorberzu.ru/mev/in/ (146.185.218.122)
prakticalcex.ru – 91.201.4.142
nalezivmordu.in
internetsexcuritee4dummies.ru

Thanks to the overall availability of malware crypting on demand services, we believe that it’s only a matter of time before the cybercriminals behind this campaign realize that they’re spamvertising an already detected executable, crypt it and spamvertise it once again this time successfully slipping it through signatures-based antivirus scanning solutions.

Webroot SecureAnywhere customers are proactively protected from this  threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

One thought on “Spamvertised CareerBuilder themed emails serving client-side exploits and malware

  1. Pingback: Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s