Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Strange phishing/spam e-mails SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange phishing/spam e-mails
We received couple of reports of very strange phishing/spam e-mails.

They all share obfuscated text which is shown properly when rendered as a HTML. In the body of the e-mail the text is always similar to:

"Dear <domain> Member,

We must check that your <domain> ID was registered by real people. So, to help <domain> prevent automated, registrations, please click on this link and complete code verification process."

The link is, of course, hidden in the HTML and the displayed one is different from where the user will go when they click the link.

All of these e-mails use Google redirector techniques in order to defeat SURBL (Spam URI Realtime Blocklists). Some of the e-mails we saw also use multiple redirectors in order to defeat Google's anti-redirector script.

They are also frequently malformed and don't work at all, for example, one of the reports we received pointed to this URL (with spaces added by us to prevent clicking on it):

ht tp://www.go\tTzA.Com/cgi -bin/p\toch/redir.cgi?s=<domain>

All e-mails always had recipients domain as the argument to the redir.cgi script. Also, most of the URLs are malformed and won't work (notice \t characters).

Some of the first e-mails that were submitted pointed to a different domain - This URL was accessible for couple of hours and it didn't seem to do anything - it was probably used to collect IP addresses, or the author is/was still setting things up.
The domain which is used now, is not resolvable, but is registered.

Thanks to Laurent D, Dan W, Guy R!

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Munich February 2022


400 Posts
ISC Handler
Nov 14th 2005

Sign Up for Free or Log In to start participating in the conversation!