Results 1 to 3 of 3

Thread: New Phishing Scam

  1. #1
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004

    New Phishing Scam

    We received couple of reports of very strange phishing/spam e-mails.

    They all share obfuscated text which is shown properly when rendered as a HTML. In the body of the e-mail the text is always similar to:

    "Dear <domain> Member,

    We must check that your <domain> ID was registered by real people. So, to help <domain> prevent automated, registrations, please click on this link and complete code verification process."

    The link is, of course, hidden in the HTML and the displayed one is different from where the user will go when they click the link.

    All of these e-mails use Google redirector techniques in order to defeat SURBL (Spam URI Realtime Blocklists). Some of the e-mails we saw also use multiple redirectors in order to defeat Google's anti-redirector script.

    They are also frequently malformed and don't work at all, for example, one of the reports we received pointed to this URL (with spaces added by us to prevent clicking on it):

    ht tp://www.go ogle.to/url?q=http://STaNdar\tTzA.Com/cgi -bin/p\toch/redir.cgi?s=<domain>

    All e-mails always had recipients domain as the argument to the redir.cgi script. Also, most of the URLs are malformed and won't work (notice \t characters).

    Some of the first e-mails that were submitted pointed to a different domain - standza.net. This URL was accessible for couple of hours and it didn't seem to do anything - it was probably used to collect IP addresses, or the author is/was still setting things up.
    The domain which is used now, standartza.com is not resolvable, but is registered.
    SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    There's been a thread discussion this going around FD. Apparently it also uses special characters that will reverse the formatting of some of the characters. The attached file as an example with the reversing characters.

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Join Date
    Aug 2005
    This has been doing the rounds of govt agencies here in Aus as well.

    The ones we are seeing are coming from 'a user' at your own domain and the link in the email has text of www.<yourdomain>.gov.au

    The concern is that users will see it is from an 'internal address' and with a link to an 'internal website' and click on it because they 'trust' the internal site. So far, besides the URL it gets redirected to (which as it says doesn't resolve) there is very little to block on.

    The best thing to do at the moment for us is to block incoming email from our own domain as there should be no reason for email from internal sources should go through the mail gateway

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts