Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Strange phishing/spam e-mails - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange phishing/spam e-mails
We received couple of reports of very strange phishing/spam e-mails.

They all share obfuscated text which is shown properly when rendered as a HTML. In the body of the e-mail the text is always similar to:

"Dear <domain> Member,

We must check that your <domain> ID was registered by real people. So, to help <domain> prevent automated, registrations, please click on this link and complete code verification process."

The link is, of course, hidden in the HTML and the displayed one is different from where the user will go when they click the link.

All of these e-mails use Google redirector techniques in order to defeat SURBL (Spam URI Realtime Blocklists). Some of the e-mails we saw also use multiple redirectors in order to defeat Google's anti-redirector script.

They are also frequently malformed and don't work at all, for example, one of the reports we received pointed to this URL (with spaces added by us to prevent clicking on it):

ht tp://www.go ogle.to/url?q=http://STaNdar\tTzA.Com/cgi -bin/p\toch/redir.cgi?s=<domain>

All e-mails always had recipients domain as the argument to the redir.cgi script. Also, most of the URLs are malformed and won't work (notice \t characters).

Some of the first e-mails that were submitted pointed to a different domain - standza.net. This URL was accessible for couple of hours and it didn't seem to do anything - it was probably used to collect IP addresses, or the author is/was still setting things up.
The domain which is used now, standartza.com is not resolvable, but is registered.

Thanks to Laurent D, Dan W, Guy R!

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Prague August 2019

Bojan

380 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!