By Dancho Danchev
Cybercriminals are currently mass mailing millions of emails, in an attempt to trick Bank of America customers into clicking on the exploit and malware-serving link found in the spamvertised email. Relying on bogus “Online Banking Passcode Changed” notifications and professionally looking email templates, the campaign is the latest indication of the systematic rotation of impersonated brands in an attempt to cover as many market segments as possible.
Screenshot of a sample spamvertised email:
Sample spamvertised and compromised URLs participating in the campaign – hxxp://kuj-pom.pl/wp-content/themes/simplenotes/resetPass.html; hxxp://mastropasticcere.bar.it/wp-content/themes/default/resetPass.html; hxxp://1980.mods.jp/wp-content/plugins/passchanged.html; hxxp://sunsetheroes.com/wp-content/plugins/1/passchanged.html; hxxp://www.jee-choi.com/test/wp-content/plugins/intensedebate/resetPass.html
Client-side exploits serving URL: hxxp://the-mesgate.net/detects/signOn_go.php – 126.96.36.199, AS38442 – Email: firstname.lastname@example.org
Also responding to the same IP are the following malicious domains:
stafffire.net – 188.8.131.52, AS38442
hotsecrete.net – Email: email@example.com
formexiting.net – suspended domain
navisiteseparation.net – suspended domain
Name servers part of the campaign’s infrastructure:
Name Server: NS1.TOPPAUDIO.COM – 184.108.40.206, AS50300 – Email: firstname.lastname@example.org
Name Server: NS2.TOPPAUDIO.COM – 220.127.116.11 – Email: email@example.com
Name Server: NS1.TWEET-TOWEL.NET – 18.104.22.168 – Email: firstname.lastname@example.org
Name Server: NS2.TWEET-TOWEL.NET – 22.214.171.124 – Email: email@example.com
Name Server: NS1.ELEPHANT-TRAFFIC.COM – 126.96.36.199
Name Server: NS2.ELEPHANT-TRAFFIC.COM – 188.8.131.52
Name Server: NS3.ELEPHANT-TRAFFIC.COM – 184.108.40.206
We’ve already seen the same email (firstname.lastname@example.org) used in a previously profiled malicious campaign impersonating Intuit – “‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit“, where the client-side exploit-serving URL (art-london.net) was also registered with the same email.
Related malicious domains responding the these IPs:
Money mule recruitment domains using the same IP as a mailserver:
As you can see, this campaign is great example of the very existence of the cybercrime ecosystem. Not only are they spamvertising millions of exploits and malware serving emails, they’re also multitasking on multiple fronts, as these two domains are recruiting money mules to process fraudulently obtained assets from the affected victims.
The following malicious domains are also part of the campaign’s infrastructure:
nokiaupdte.com – typosquatted domain impersonating Nokia Update
twiiter.com – typosquatted domain impersonating Twitter
http://www.jmbrino.blogsot.com – typosquatted domain impersonating Google’s Blogspot
Webroot SecureAnywhere users are proactively protected from these threats.