By Dancho Danchev
Intuit users, beware!
Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on any of them, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign: hxxp://www.transplantexperience.in/inproldet.html; hxxp://www.skullisland.ca/inproldet.html; hxxp://pozycjonowanie.profi-group.pl/inproldet.html; hxxp://www.transplantexperience.in/inproldet.html; hxxp://www.luxense.eu/inproldet.html; hxxp://media.ted.fr/sites/inproldet.html; hxxp://tacmap.jp/sites/inproldet.html; hxxp://spiler.hu/inproldet.html; hxxp://archaeology.tau.ac.il/inproldet.html; hxxp://www.tecfedericotaylor.edu.gt/inproldet.html; hxxp://www.viaherworld.com/inproldet.html
Client-side exploits serving URL: hxxp://savedordercommunicates.info/detects/bank_thinking.php; hxxp://savedordercommunicates.info/detects/bank_thinking.php?
Upon loading, the malicious URL attempts to drop a PDF on the affected host that’s exploiting CVE-2010-0188. Once successful, the client-side exploit then drops additional malware.
Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 – detected by 14 out of 44 antivirus scanners as Trojan.Win32.Bublik.qqf
Client-side exploits serving domain reconnaissance:
savedordercommunicates.info – 18.104.22.168, AS36352 – Email: email@example.com
Name Server: NS1.CHELSEAFUN.NET – 22.214.171.124, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak.com
Name Server: NS2.CHELSEAFUN.NET – 126.96.36.199, AS209
We’ve already seen the same name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.
Responding to the same IP (188.8.131.52) is also the following malicious domain:
This isn’t the first time that we’ve intercepted Intuit themed malicious campaigns. Consider going through previous analyses profiling malicious campaigns impersonating the company:
- ‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit
- Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
- Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails
- Spamvertised Intuit themed emails lead to Black Hole exploit kit
Webroot SecureAnywhere users are proactively protected from these threats.