Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Rich Quick Make Money! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Rich Quick Make Money!

Based on reader reports (thanks Fred!) it looks like some carefully crafted spam is making its way past filters at the moment. The spams have content like

To all of my friends who didn't have the a moment to watch me on the channel-20 news last Tuesday talking about my blog, and financial accomplishments. I'm forwarding you the News Article, so you can read the whole story on how I became financially independent and wealthy. hxxp://r,turn,com/r/formclick/id/Ln5c6GsFyTbGgAsAbQABAA/url/%68%74%74%70%3a%2f\%6a%2e%6d%70/TSQHMO?djyna

I'm using hxxp and , instead of . to keep the domains from becoming clickable .. and to hopefully keep your spam/virus filter from panicking belatedly over this ISC diary instead of over the real spam earlier :)

We first expected some sort of Fake AV malware campaign, but it looks like the site "only" pushes the latest work-at-home-get-rich-quick scam. At least for the moment. Looking at the URL closely, here's what's going down: r,turn,com has an open redirect. The bad guys use this as a trampoline to bounce whoever clicks on the link to the next stage.

"%68%74%74%70%3a%2f\%6a%2e%6d%70" is really only hexadecimally encoded ASCII, and translates to "hxxp:/\j,mp", so the next stage is hxxp://j,mp/TSQHMO?djyna.  

There, we get a redirect to hxxp://wallyplanet,info/fizo.htm?33722, where we get a file that contains window.location = "hxxp://bit,ly/Vn3lWj".  Which redirects to hxxp://picklecook,us/fizo2.htm, where we get a file that contains window.location = "hxxp://CNBC-20NEWS,NET/momstory294b.htm", where we finally get the sob story and the get-rich-quick scam.

I doubt the spam filters follow this mess all the way, hence the URL reputation score in the spam filters apparently got tricked, and let the email through.

 

Daniel

367 Posts
ISC Handler
I've seen a lot of these recently too, but the ones I've seen all redirect through Google's 'I'm feeling lucky' search function. The text, however, is very similar.

http://www.spamcop.net/sc?id=z5437114469z86be7092445a4ce5204f6e49e98b94d8z;action=display
pogue

17 Posts
I wrote a little article on this last week. The one I received used the I'm feeling lucky functions as well. The funny part is that my site started becoming the number 1 site for that particular search term thus leading the affected users to land on my site verse the malicious content. My article: http://www.tekdefense.com/news/2012/12/4/are-you-feeling-lucky.html
pogue
1 Posts

Sign Up for Free or Log In to start participating in the conversation!