Spamvertised CareerBuilder themed emails serving client-side exploits and malware

By Dancho Danchev

End and corporate users, and especially CareerBuilder users, beware!

Cybercriminals are currently spamvertising millions of emails impersonating the popular jobs portal CareerBuilder in an attempt to trick users into  clicking on client-side exploits serving links.

The current campaign, originally circulating in the wild since 26 Apr, 2012, is a great example of a lack of QA (quality assurance) since they’re spamvertising a binary that’s largely detected by the security community.

More details:

Spamvertised URL: hxxp://

Client-side exploits served: CVE-2010-0188 and CVE-2010-1885

Malicious client-side exploitation chain: hxxp:// ->  hxxp:// ->  hxxp:// sometimes  hxxp:// is also included in the redirection

Upon successful exploitation drops the following MD5: 518648694d3cb7000db916d930adeaaf

Upon execution it phones back to the following URLs/domains: ( –

Thanks to the overall availability of malware crypting on demand services, we believe that it’s only a matter of time before the cybercriminals behind this campaign realize that they’re spamvertising an already detected executable, crypt it and spamvertise it once again this time successfully slipping it through signatures-based antivirus scanning solutions.

Webroot SecureAnywhere customers are proactively protected from this  threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

One thought on “Spamvertised CareerBuilder themed emails serving client-side exploits and malware

  1. Pingback: Spamvertised ‘Your order confirmation’ emails serving client-side exploits and malware « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s