By Dancho Danchev
It appears that cybercriminals are back in the game, with yet another Verizon Wireless themed malicious campaign, enticing users to click on the malicious link found in the email. Once users click on the link, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
Sample screenshot of the spamvertised email:
Sample email subjects: Fresh eBill is Should Be Complete. From: Verizon Wireless; Your Recent eBill from Verizon Wireless
Sample spamvertised compromised URLs:
Sample client-side expoits serving URL:
Malicious domain name reconnaissance:
proxfied.net – 126.96.36.199 – Email: firstname.lastname@example.org
Name Server: NS1.AMISHSHOPPE.NET – Email: email@example.com
Name Server: NS2.AMISHSHOPPE.NET – Email: firstname.lastname@example.org
We’ve already seen the same name servers used in the following previously profiled malicious campaign – “Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit“.
Responding to 188.8.131.52 are also the following malicious campaigns part of the campaign’s infrastructure:
Upon successful client-side exploitation, the campaign drops MD5: ce367f8e8fa4be25ef80baf5f4aff5c4 – detected by 26 out of 45 antivirus scanners as Worm:Win32/Cridex.E.
Although the cybercriminals didn’t bother coming up with a visually appealing email template impersonating Verizon Wireless like we’ve seen in the previously profiled Verizon Wireless themed campaigns from 2012, they continued to rely on the same malicious infrastructure used in the previously profiled Citi themed malicious campaign, indicating poor QA (Quality Assurance) on their behalf.
We’ll continue monitoring the campaign, and post updates as soon as new development emerge.
Webroot SecureAnywhere users are proactively protected from these threats.