By Dancho Danchev
Sticking to their well proven social engineering tactics consisting of systematic rotation of the abused brands, cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick end and corporate users into interacting with the malicious campaign.
Once the interaction takes place, users are exposed to the client-side exploits served by the Black Hole exploit kit, currently the market share leader within the cybercrime ecosystem.
Screenshot of the spamvertised email:
Upon clicking on the link, users are exposed to bogus “Page loading…” page:
Spamvertised URLs: hxxp://earbudsforrunning.com/welcpp.html; hxxp://vitva-musicgroup.com/wp-content/uploads/fgallery/traninfo.html; hxxp://imune.org.br/traninfo.html
Client-side exploit serving URL: hxxp://teloexpressions.org/main.php?page=9aca5bbc34d3ebd6
Detection rate for a sample redirection script: MD5: 2276947d2f3a7abc88e89089e65dce23
Upon successful client-side exploitation, the campaign drops MD5: 05e0958ef184a27377044655d7b23cb0 on the affected hosts, detected by 28 out of 41 antivirus scanners as Trojan.Generic.KDV.679870; Trojan-Dropper.Win32.Dapato.bnej.
As we’ve already predicted, the cybercriminal or gang of cybercriminals behind these persistent and massive spam campaigns will simply continue rotating the impersonated brands in an attempt to target millions of users across multiple Web properties.
PayPal has information on their website to help users identify legitimate emails.
Webroot SecureAnywere users are proactively protected from this threat.