By Dancho Danchev
Cybercriminals are currently spamvertising online casino themed emails, which ultimately redirect users to a bogus casino site offering an executable download. Upon deeper examination, it appears that the download is actually adware.
More details:
Spamvertised URL, including affiliate ID: hxxp://grand-parker.com/bonus/15free.php?affid=22323&bonus=TAKE15 – currently responding to 212.7.194.232; 195.2.253.22.
Detection rate for GrandParker.exe: MD5: 7bec7eb7f891c1c894536c10fe53c34d, Detected by 6 out of 42 antivirus scanners as GAME/Casino.Gen2; W32/CasOnline; W32/Casino.HNY
Upon execution it phones back to the following URL in order to download the setup file:
setup.dnfilescntnt.eu//36175/cdn/parker/Grand%20Parker%20Casino20120417101453.msi
Detection rate for Grand_Parket_Casino.msi: MD5: e5fa6bc94ee9a5becfd6d5d1cb8f1147, Detected by 1 out of 41 antivirus scanners as PUA.Packed.PECompact-1
The cybercriminals behind the spamvertised campaign are earning revenue through the Hastings International B.V. distributor of RealTime Gaming software.
Webroot SecureAnywhere customers are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
this bl0og is very interesting to visit and read!
Pingback: Pop-ups at popular torrent trackers serving W32/Casonline adware « Webroot Threat Blog
Pingback: Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware « Webroot Threat Blog
Pingback: Millions of spamvertised emails lead to W32/Casonline « Webroot Threat Blog