We received messages from two ISC readers, who reported an increase in spam messages that include a link to sub-sites of blogspot.com. (Thanks, Matthew O. and J. T.) The fake blogs, set up on blogspot.com for this purpose, briefly display the phrase "If site not apeared - Click Here ." before redirecting the visitor to another site via a meta refresh tag, such as:
(Watch out, that gentsofnowu.com URL is not friendly!) The spam messages we've seen advertise Microsoft Office Enterprise 2007 software, and use subject lines such as "Microsoft Office ready to download" and "Microsoft Office 2007 OEM version". The body of the email currently looks like this: Microsoft Office Enterprise 2007 includes: (Watch out, another maliciously-predisposed URL there!) A Google search for "If site not apeared - Click Here" produced one unfriendly-looking website that resembles the ones hosted on blogspot.com, and a blog posting that describes an incident that might be related to this campaign and vents about Google. A Yahoo search for this phrase leads to two reports on malicious sites hosted on blogspot.com (1, 2). An MSN search produces another report. (Are you surprised I used more than one search engine? Me too.) -- Lenny Lenny Zeltser Lenny teaches a SANS course on analyzing malware. |
Lenny 216 Posts Feb 25th 2008 |
Thread locked Subscribe |
Feb 25th 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!