By Dancho Danchev
Cybercriminals are currently mass mailing millions of emails, in an attempt to trick Bank of America customers into clicking on the exploit and malware-serving link found in the spamvertised email. Relying on bogus “Online Banking Passcode Changed” notifications and professionally looking email templates, the campaign is the latest indication of the systematic rotation of impersonated brands in an attempt to cover as many market segments as possible.
More details:
Screenshot of a sample spamvertised email:
Sample spamvertised and compromised URLs participating in the campaign – hxxp://kuj-pom.pl/wp-content/themes/simplenotes/resetPass.html; hxxp://mastropasticcere.bar.it/wp-content/themes/default/resetPass.html; hxxp://1980.mods.jp/wp-content/plugins/passchanged.html;hxxp://sunsetheroes.com/wp-content/plugins/1/passchanged.html; hxxp://www.jee-choi.com/test/wp-content/plugins/intensedebate/resetPass.html
Client-side exploits serving URL: hxxp://the-mesgate.net/detects/signOn_go.php – 183.81.133.121, AS38442 – Email: counseling72@yahoo.com
Also responding to the same IP are the following malicious domains:
stafffire.net – 183.81.133.121, AS38442
hotsecrete.net – Email: counseling1@yahoo.com
formexiting.net – suspended domain
navisiteseparation.net – suspended domain
Name servers part of the campaign’s infrastructure:
Name Server: NS1.TOPPAUDIO.COM – 91.216.93.61, AS50300 – Email: windowclouse@hotmail.com
Name Server: NS2.TOPPAUDIO.COM – 29.217.45.138 – Email: windowclouse@hotmail.com
Name Server: NS1.TWEET-TOWEL.NET – 208.88.124.81 – Email: worldonaplate@rocketmail.com
Name Server: NS2.TWEET-TOWEL.NET – 5.88.90.51 – Email: worldonaplate@rocketmail.com
Name Server: NS1.ELEPHANT-TRAFFIC.COM – 217.11.251.172
Name Server: NS2.ELEPHANT-TRAFFIC.COM – 217.11.251.171
Name Server: NS3.ELEPHANT-TRAFFIC.COM – 217.31.59.77
