Cyber criminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using two different email templates. When clicked, the links in the malevolent emails lead to the client-side exploits serviced by the latest version of the Black Hole Exploit Kit.
Webroot completed an analysis of the malicious sites being spammed,
Sample spamvertised compromised URLS used in the campaign:
hxxp://franctelnetwork.com/components/com_ag_google_analytics2/citialertservice.html
hxxp://ghostdeal.com/components/com_ag_google_analytics2/citialertservice.html
hxxp://thesmsway.com/components/com_ag_google_analytics2/citialertservice.html
hxxp://911pcs.com/components/com_ag_google_analytics2/alert-service-citibank.html
hxxp://rjewelryd.com/components/com_ag_google_analytics2/alert-service-citibank.html
hxxp://softwarehit.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html
hxxp://ceipfernandogavilan.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html
hxxp://troubleshootersacademy.com/components/com_ag_google_analytics2/citialert-sign_in.html
Sample client-side exploits serving URLs:
hxxp://eaglepointecondo.biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: [email protected]
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: [email protected]
hxxp://platinumbristol.net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: [email protected]
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: [email protected]
Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c – detected by 28 out of 45 antivirus scanners as Worm:Win32/Cridex.E.
Once executed, the sample performs the following activities:
- Accesses Firefox’s Password Manager local database
- Creates a thread in a remote process
- Installs a program to run automatically at logon
Webroot also provided an example of the templates being used.
This attacks are likely to get worse as it gets nearer to the holiday season as many consumers are purchasing their gifts online.