BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware

By Dancho Danchev

Cybercriminals are currently mass mailing millions of emails, in an attempt to trick Bank of America customers into clicking on the exploit and malware-serving link found in the spamvertised email. Relying on bogus “Online Banking Passcode Changed” notifications and professionally looking email templates, the campaign is the latest indication of the systematic rotation of impersonated brands in an attempt to cover as many market segments as possible.

More details:


Screenshot of a sample spamvertised email:

Sample spamvertised and compromised URLs participating in the campaign – hxxp://;hxxp://

Client-side exploits serving URL: hxxp:// –, AS38442 – Email:

Also responding to the same IP are the following malicious domains: –, AS38442 – Email: – suspended domain – suspended domain

Name servers part of the campaign’s infrastructure:
Name Server: NS1.TOPPAUDIO.COM –, AS50300 – Email:
Name Server: NS2.TOPPAUDIO.COM – – Email:
Name Server: NS1.TWEET-TOWEL.NET – – Email:
Name Server: NS2.TWEET-TOWEL.NET – – Email:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s