By Dancho Danchev
Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau).
Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit kit.
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign:
Sample client-side exploits serving URL:
Malicious domain name reconnaissance:
tv-usib.com – 126.96.36.199 – Email: firstname.lastname@example.org
Name Server: NS1.AMISHSHOPPE.NET – Email: email@example.com
Name Server: NS2.AMISHSHOPPE.NET – Email: firstname.lastname@example.org
Responding to 188.8.131.52 are also the following malicious domains, part of the campaign’s infrastructure:
bmsavingsn.com – ACTIVE phishing campaign
We’ve already seen the same name servers used in the previously profiled “Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit“; “Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware” campaigns.
Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 – detected by 30 out of 46 antivirus scanners as Worm:Win32/Cridex.E.
Upon execution, the sample phones back to:
Webroot SecureAnywhere users are proactively protected from these threats.