Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

It's Phishing Season! In fact, it's ALWAYS Phishing Season!

Published: 2012-05-30
Last Updated: 2012-05-30 17:42:26 UTC
by Rob VandenBrink (Version: 1)
4 comment(s)

It's always great to hear from our readers, we just got this note in from Tom on a phish that he recently encountered:

One of my followers on Twitter (whose account was likely hacked or fell victim to this scam) sent me the following DM:

hilarious pic!

That URL redirects to:

That site is clearly impersonating the site, and attempts to trick users into typing in their username and password.  As of this writing (May 30, 2012 12:18pm EDT), the site is still available.

The whois record shows it as registered to "XIN NET TECHNOLOGY CORPORATION" in Shanghai, China.  The whois record also have an HTML "script" tag in it, which may be an attempt to XSS users using web-based WHOIS services (though I did not try loading the JS file to find out).

While I've certainly seen reply spam on Twitter, I don't recall ever seeing this type of DM spam leading to phishing before.  I thought that you guys might find it interesting!

I sent a message using Twitter's online support form, and I also submitted the URL to Google's SafeBrowsing list.


This was just too good an example to pass up writing about.  Things to watch out for:

  • Any link you're asked to click on, in any context is a risk - READ THE UNDERLYING LINK to verify that you're going where you think you are.
  • If it's a shortened link ( or whatever), check it with a sacrificial VM or from a sandboxed browser that you trust is actually partiitioned and "safe"
  • Before you click the link - READ THE LINK AGAIN - the "vv" instead of a "w" character in twitter is a nice touch, easy to miss
  • Finally, before clicking the link, DON'T CLICK THE LINK.  Cut and paste it into your browser rather than clicking it directly.

If you've got any other pointers, or if I've missed anything, please use our comment to .. well... comment !


Rob VandenBrink

4 comment(s)
Diary Archives