On a daily basis, we intercept hundreds of thousands of fraudulent or malicious emails whose purpose is to either infect users with malicious software or turn them into victims of fraudulent schemes. About 99% of these campaigns rely on social engineering tactics, and in the cases where they don’t include direct links to the actual malware, they direct users to the market leading Black Hole Exploit Kit.

In terms of volume and persistence, throughout January, 2013, a single malicious campaign impersonating FedEx topped our metrics data. What’s so special about this campaign? It’s the fact that the digital fingerprint of one of the most recently introduced malware variants used in the campaign corresponds to the digital fingerprint of a malware-serving campaign that we’ve already profiled, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.

Sample screenshot of the spamvertised email:

Fake_FedEx_TrackingID_TrackingNumber_TrackingDetail_Spam_Email_Malware

Sample spamvertised compromised URLs part of the campaign:
hxxp://relax-legend.ba/ZXSZUSBLZG.php?receipt
hxxp://stylephone.co.il/misc/teasers.php?receipt
hxxp://voguepay.com/FEZDVUUCLG.php?receipt=
hxxp://sunrisemedya.com/HAEJMKGUMT.php?receipt
hxxp://sunseekerownersclub.com/OOLZRZQTIW.php?receipt
hxxp://selimi-fugenabdichtungen.de/IYSZJVVIRA.php?receipt
hxxp://sunseekerownersclub.com/OOLZRZQTIW.php?receipt
hxxp://www.cursillodeorientacion.com/OLKIHLKYSB.php?receipt
hxxp://www.diocesebatroun.org/UEKFWHOJPF.php?receipt
hxxp://suarevista.com.br/QGQRXAOJLV.php?receipt
hxxp://fundloan.info/AYKQRUYOSL.php?receipt
hxxp://secretmobilemoneyprofits.com/SCTQOFXHVC.php?php=receipt
hxxp://www.matwigley.co.uk/SOJAJDTLAX.php?php=receipt
hxxp://rossiangelo.it/ALAGZUCWHV.php?receipt
hxxp://tqm.com.ua/misc/teasers.php?receipt
hxxp://metalphotosplus.com/PAUDSPBBXE.php?receipt
hxxp://businesscoaching24.com/BWMIZNPQAT.php?receipt
hxxp://www.bsf.org.pk/misc/teasers.php?get_receipt
hxxp://ferz.kiev.ua/misc/teasers.php?get_receipt

Detection rate for the malware variants distributed over the past 24 hours:
MD5: 980ffe6cee6ad5a197fbebdeeac9df57 – detected by 31 out of 46 antivirus scanners as Trojan-Downloader.Win32.Kuluoz.amg
MD5: bf061265407ea1f7c21fbf5f545c4c2b – detected by 6 out of 46 antivirus scanners as PAK_Generic.001
MD5: 6bb823d87f99da067e284935ca3a8b14 – detected by 36 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
MD5: 75db84cfb0e1932282433cdb113fb689 – detected by 29 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B

Deja vu!  This is the same MD5: 75db84cfb0e1932282433cdb113fb689 that we profiled in the “Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware” analysis, indicating a (thankfully) low QA (Quality Assurance) applied on behalf of the cybercriminals launching these campaigns.

The campaign is ongoing, so watch what you click on! Webroot SecureAnywhere users are proactively protected from these threats with our comprehensive internet security solution.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This