By Dancho Danchev
Newsflash, the cybercriminals behind the recently profiled malicious campaign impersonating Bank of America, launched yet another massive spam campaign, this time targeting ADP customers. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
Sample screenshot of the spamvertised email:
Compromised malicious URLs spamvertised in the campaign: hxxp://shawnsheritagemasonry.com/trnztadp.html; hxxp://diversified.usereasy.net/trnztadp.html; hxxp://widespace.com.cn/trnztadp.html; hxxp://www.theironingbasket.com/trnztadp.html; hxxp://runtheattack.com/trnztadp.html; hxxp://kbc-tervuren.be/trnztadp.html; hxxp://egowy.com/loginadptr.html
Client-side exploits serving URL: hxxp://reasonedblitzing.net/detects/lorrys_implication.php – 18.104.22.168, AS3301 – Email: firstname.lastname@example.org; hxxp://nfcmpaa.info/detects/burying_releases-degree.php – 22.214.171.124, AS3301 – Email: email@example.com
Responding to the same IP are also the following malicious domains:
win8ss.com – Email: firstname.lastname@example.org
legacywins.com – Email: email@example.com
openpolygons.net – Email: firstname.lastname@example.org
steamedboasting.info – Email: email@example.com
Name servers part of the campaign’s infrastructure:
Name Server: NS1.TOPPAUDIO.COM
Name Server: NS2.TOPPAUDIO.COM
We’ve already seen the same name servers used in the recently profiled “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware” malicious campaign. Clearly, the cybercriminal or gang of cybercriminals behind the campaign continue rotating the impersonated brands, next to using the same malicious infrastructure to achieve their objectives.
Webroot SecureAnywhere users are proactively protected from these threats.