Be careful with the links showed in this diary because they might still be live and could infect your computer if not handled properly More and more scams are seen each day. I discussed in a previous diary a phishing attack sent to users so attackers can own their computers. I will show you today another attack using the same technique and the same malicious code. I received today the following message: The online reservation details link pointed to the link http://somostigreros.com.ve/s3JgEpEu/index.html. The document has a javacript pointing to four different URL: The javascript downloaded is the same in all the four cases and points to another link: We arrive to an obfuscated javascript. Let's see a snip of it: After decoding the script, I got the same javascript analyzed in my previous diary, which performs the following:
Additional to the measures previously discussed to mitigated this kind of threats, You can be a propagation vector for malware like the one being shown if you publish to the internet vulnerable servers. Many attackers no longer want to shutdown your server but to publish malware in not-visible locations inside your webserver or web application. Please keep in mind the following:
Have you received this kind of threat inside your network? Let us know using our contact form. Manuel Humberto Santander Peláez |
Manuel Humberto Santander Pelaacuteez 195 Posts ISC Handler Apr 3rd 2012 |
Thread locked Subscribe |
Apr 3rd 2012 1 decade ago |
Manuel, I've received the same e-mail, pointing to a different url [http://]parfumuri-ieftine.net[/]zh6jPwn1[/]index.html
(I've included the []s to avoid an accidental click). Saludos desde Colombia |
Anonymous |
Quote |
Apr 4th 2012 1 decade ago |
deobfuscated code is a blacole Exploit code...
|
Anonymous |
Quote |
Apr 4th 2012 1 decade ago |
Whatever font you used to display the js code, causes it to be about 20pt on my IE9.
|
dave 21 Posts |
Quote |
Apr 4th 2012 1 decade ago |
they point to various targets, http://saffr on-cruises.co m/XTbWCY0y/index.html being one of them
And there's also a push of "Payflow Manager" (PayPal) phishing as well. |
CBob 23 Posts |
Quote |
Apr 4th 2012 1 decade ago |
> Whatever font you used to display the js code, causes it to be about 20pt on my IE9.
It's a PNG file, i.e,. a screen-capture, not "text". Probably done that way to avoid the text from being flagged by some virus-scanners as being "malicious". |
Anonymous |
Quote |
Apr 5th 2012 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!