Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Gift card from Marriott? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Gift card from Marriott?

Always nice when the spammers are so forthcoming to send their latest crud directly to our SANS ISC honeypot account. The current incarnation

Subject: Re: Your complimentary 3-night stay giftcard (Expires 09
From: "Marriott Gift Card" marriottgiftcard@summerallstar.review

came from

Received: from summerallstar.review (50.22.145.13-static.reverse.softlayer.com [50.22.145.13])

which kinda figures, Softlayer is among the cloud computing providers whose "get a virtual server FREE for one month" is an offering that scammers can't resist. The "Marriott" email said:

Marriott Special Gift Card:
=======================================================
Expires 09/15/15
Notification: #2595319
=======================================================

ALERT: Your Marriott-Gift Card will expire 09/15/15.

Please claim your gift-card at the link below:
http://seespecial.summerallstar[dot]review

This gift-card is only good for one-person to claim
at once with participation required. Please respect the
rules of the special-giftpromo.

=======================================================
Expires 09/15/15
Notification: #2595319
=======================================================

End-GiftCard Notification


.review ? How lovely! Let's use the opportunity to again *thank* ICANN for their moronic money grab, and all the shiny new useless "top level domains" that honest users and corporations now have to avoid and block. The lesson learned a couple years ago, when ".biz" and ".info" came online, should have been enough to know that the new cyber real estate would primarily get occupied by crooks. But here we are. I guess ICANN and most domain name pimps don't mind where their revenue stream comes from. But I digress.

Clicking on the link results in a rather unimaginative website, hosted on http://lucky-survey.com-hu3[dot]info, shown on the picture below.

It doesn't (seem to - as far as I could tell) push any malware, but asks a couple of dumb questions, and then offers a prize. Ahem. Sort of a prize:

Somewhere along the way, it seems like the connection to "Marriott" got lost. Which is maybe all the better...

 Daniel

385 Posts
ISC Handler
Sep 1st 2015
Thread locked Subscribe Sep 1st 2015
6 years ago

Sign Up for Free or Log In to start participating in the conversation!