By Dancho Danchev
Intuit users, beware!
Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on any of them, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
More details:
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign: hxxp://www.transplantexperience.in/inproldet.html; hxxp://www.skullisland.ca/inproldet.html; hxxp://pozycjonowanie.profi-group.pl/inproldet.html; hxxp://www.transplantexperience.in/inproldet.html; hxxp://www.luxense.eu/inproldet.html; hxxp://media.ted.fr/sites/inproldet.html; hxxp://tacmap.jp/sites/inproldet.html; hxxp://spiler.hu/inproldet.html; hxxp://archaeology.tau.ac.il/inproldet.html; hxxp://www.tecfedericotaylor.edu.gt/inproldet.html; hxxp://www.viaherworld.com/inproldet.html
Client-side exploits serving URL: hxxp://savedordercommunicates.info/detects/bank_thinking.php; hxxp://savedordercommunicates.info/detects/bank_thinking.php?
eony=3833043409&ujmp=36&akemejo=03370b370a33070b0207&lwv=0a000300040002
Upon loading, the malicious URL attempts to drop a PDF on the affected host that’s exploiting CVE-2010-0188. Once successful, the client-side exploit then drops additional malware.
Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 – detected by 14 out of 44 antivirus scanners as Trojan.Win32.Bublik.qqf
Client-side exploits serving domain reconnaissance:
savedordercommunicates.info – 75.127.15.39, AS36352 – Email: heike_ruigrok32@naplesnews.net
Name Server: NS1.CHELSEAFUN.NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak.com
Name Server: NS2.CHELSEAFUN.NET – 65.131.100.90, AS209
We’ve already seen the same name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.
Responding to the same IP (75.127.15.39) is also the following malicious domain:
teamscapabilitieswhich.org
This isn’t the first time that we’ve intercepted Intuit themed malicious campaigns. Consider going through previous analyses profiling malicious campaigns impersonating the company:
- ‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit
- Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
- Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails
- Spamvertised Intuit themed emails lead to Black Hole exploit kit
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
Pingback: ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World
Pingback: Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World
Pingback: Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World
Pingback: Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World