Spamvertised American Airlines themed emails lead to Black Hole exploit kit


By Dancho Danchev

American Airlines customers, watch where you click! Cybercriminals are currently spamvertising millions of emails impersonating the company in an attempt to trick end and corporate users into clicking on the malicious links found in the spamvertised email.

Upon execution, the campaign redirects users to a Black Hole exploit kit landing URL, where client-side exploits are served against outdated third-party software and browser plugins.

More details:

Screenshots of a sample spamvertised email:

Once users click on any of the links in the spamvertised email, they are exposed to the following fake “Page loading…” page:

Spamvertised URLs: hxxp://luxify.net/wp-admin/aair.html redirects to -> hxxp://princess-sales.net/main.php?page=7e45713861176c6b (203.237.211.223) or hxxp://ghanarpower.net/main.php?page=8c6c59becaa0da07 (203.237.211.223)

Upon successful client-side exploitation of CVE-2010-1885, the Black Hole exploit kit drops the following MD5 on infected hosts: MD5: c70d309171d9844f331081b3c3d80ff

Detection rate: Detected by 25 out of 42 antivirus scanners as Trojan.Generic.KDV.664936; Worm:Win32/Cridex.E

Upon execution, the sample phones back to 210.56.23.100:8080/za/v_01_b/in/

Responding to 210.56.23.100, AS7590, COMSATS Commission on Science and Technology for Sustainable Development in the South, are the following command and control servers:

cpojkjfhotzpod.ru
upjachkajasamns.ru
cruoinaikklaoifpa.ru
sumgankorobanns.ru
fedikankamolns.ru
ciontooabgooppoa.ru
caskjfhlkaspsfg.ru
csoaspfdpojuasfn.ru
amanarenapussyns.ru
cparabnormapoopdsf.ru
cjhsdvbfbczuet.ru
caoodntkioaojdf.ru
clkjshdflhhshdf.ru
zolindarkksokns.ru
cnnvcnsaoljfrut.ru
cruikdfoknaofa.ru
cjiahkhklflals.ru
dinamitbtzusons.ru
cjjasjjikooppfkja.ru
ckjsfhlasla.ru
kroshkidlahlebans.ru
ckjhasbybnhdjf.ru
xspisokdomenidgmens.ru
dkijhsdkjfhsdf.ru
dhjikjsdhfkksjud.ru
dsakhfgkallsjfd.ru
dphsgdfisgdfsdf.ru
dkjhfkjsjadsjjfj.ru
debiudlasduisioa.ru
dpasssjiufjkaksss.ru
doorpsjjaklskfjak.ru
dnvfodooshdkfhha.ru
xstriokeneboleeodgons.ru
dpaoisosfdhaopasasd.ru
rushsjhdhfjsldif.su
dkjhasjllasllalaa.ru
puidhfhhaoadans.su
somaniksuper.ru
superproomgh.ru
samsonikonyou.ru
phfhshdjsjdppns.su
dhjhgfkjsldkjdj.ru
poosdfhhsppsdns.su
insomniacporeed.ru

The name servers infrastructure of these domains is parked at the following IPs 94.63.147.96; 171.25.190.249; 188.116.32.177

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

6 thoughts on “Spamvertised American Airlines themed emails lead to Black Hole exploit kit

  1. Pingback: Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit « Webroot Threat Blog

  2. Pingback: Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware « Webroot Threat Blog

  3. Pingback: Cybercriminals spamvertise bogus greeting cards, serve exploits and malware « Webroot Threat Blog

  4. Pingback: ‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  5. Pingback: Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  6. Pingback: ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s