Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and malware


By Dancho Danchev

Over the past week, cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses.

Once users click on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit.

More details:

Sample screenshot of the spamvertised email:

Second screenshot of the spamvertised email impersonating Amazon.com Inc:

Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:

Sample subjects used in the spamvertised emails: Re: HD TV Waiting on delivery Few hours agoYour HDTV Delivered NowRe: HDTV Processed YesterdayRe: Order Processed TodayYour Order Approved Few hours ago

Sample compromised URLs used in the malicious campaign: hxxp://manxwoman.net/administrator/amazinhdtv.html; hxxp://shuraki.com/wp-admin/hdtvamazon.html; hxxp://hagigim.net/wp-admin/hdtvamazon.html; hxxp://localsearchtrafficnow.com/wp-admin/hdtvamazon.html; hxxp://aclcinema.com/wp-admin/hdtvamazon.html; hxxp://mulberryhandbags.net/images/hdtvamazon.html; hxxp://doomsdaypreppersplan.com/wp-admin/hdtvamazon.html; hxxp://christiaanse-taxateur.nl/wp-admin/hdtvamazon.html; hxxp://institutobiblicosanpablo.org/site/amazinhdtv.html; hxxp://lacastalia.com/scripts/amazinhdtv.html; hxxp://twoshakes.ca/wp-admin/amazinhdtv.html; hxxp://quangcaowebtrengoogle.com/administrator/amazinhdtv.html; hxxp://vedsoft.info/wp-admin/amazinhdtv.html; hxxp://kineticenergix.com/wp-admin/amazinhdtv.html; hxxp://smescement.ru/3dhdtvordr.html; hxxp://j-goods.us/3dhdtvordr.html; hxxp://xn--nietypowe-meble-na-zamwienie-6zc.pl/3dhdtvordr.html

Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830 detected by 20 out of 43 antivirus scanners as JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael

Client-side exploitation URL: hxxp://webgrafismo.net/detects/rates-event_convinced-sent.php; hxxp://webgrafismo.net/detects/rates-event_convinced-sent.php?bve=3406073633&prny=3949&cmarvjgs=qqfngaf&gugrxt=qrs; hxxp://pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php

Once a successful client-side exploitation takes place, the Black Hole Exploit kits drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab that’s exploiting the CVE-2010-0188 vulnerability.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

2 thoughts on “Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and malware

  1. Pingback: Spam email από το ‘Amazon’ οδηγεί σε exploits και malware

  2. Pingback: Spam email από το ‘Amazon’ οδηγεί σε exploits και malware | Security News

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s