Last Updated: 2015-09-01 00:01:45 UTC
by Daniel Wesemann (Version: 1)
Always nice when the spammers are so forthcoming to send their latest crud directly to our SANS ISC honeypot account. The current incarnation
Subject: Re: Your complimentary 3-night stay giftcard (Expires 09
From: "Marriott Gift Card" email@example.com
Received: from summerallstar.review (22.214.171.124-static.reverse.softlayer.com [126.96.36.199])
which kinda figures, Softlayer is among the cloud computing providers whose "get a virtual server FREE for one month" is an offering that scammers can't resist. The "Marriott" email said:
Marriott Special Gift Card:
ALERT: Your Marriott-Gift Card will expire 09/15/15.
Please claim your gift-card at the link below:
This gift-card is only good for one-person to claim
at once with participation required. Please respect the
rules of the special-giftpromo.
.review ? How lovely! Let's use the opportunity to again *thank* ICANN for their moronic money grab, and all the shiny new useless "top level domains" that honest users and corporations now have to avoid and block. The lesson learned a couple years ago, when ".biz" and ".info" came online, should have been enough to know that the new cyber real estate would primarily get occupied by crooks. But here we are. I guess ICANN and most domain name pimps don't mind where their revenue stream comes from. But I digress.
Clicking on the link results in a rather unimaginative website, hosted on http://lucky-survey.com-hu3[dot]info, shown on the picture below.
It doesn't (seem to - as far as I could tell) push any malware, but asks a couple of dumb questions, and then offers a prize. Ahem. Sort of a prize:
Somewhere along the way, it seems like the connection to "Marriott" got lost. Which is maybe all the better...