Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: If site not apeared - Click Here - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
If site not apeared - Click Here

We received messages from two ISC readers, who reported an increase in spam messages that include a link to sub-sites of (Thanks, Matthew O. and J. T.) The fake blogs, set up on for this purpose, briefly display the phrase "If site not apeared - Click Here ." before redirecting the visitor to another site via a meta refresh tag, such as:

<meta content='0;URL=' http-equiv='refresh'/>

(Watch out, that URL is not friendly!)

The spam messages we've seen advertise Microsoft Office Enterprise 2007 software, and use subject lines such as "Microsoft Office ready to download" and "Microsoft Office 2007 OEM version". The body of the email currently looks like this:

Microsoft Office Enterprise 2007 includes:
• Access 2007
• Communicator 2007
• Excel 2007
• Groove 2007
• InfoPath 2007
• OneNote 2007
• Outlook 2007
• PowerPoint 2007
• Publisher 2007
• Word 2007

(Watch out, another maliciously-predisposed URL there!)

A Google search for "If site not apeared - Click Here" produced one unfriendly-looking website that resembles the ones hosted on, and a blog posting that describes an incident that might be related to this campaign and vents about Google. A Yahoo search for this phrase leads to two reports on malicious sites hosted on (1, 2). An MSN search produces another report. (Are you surprised I used more than one search engine? Me too.)

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.


216 Posts
Feb 25th 2008

Sign Up for Free or Log In to start participating in the conversation!