Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: What's the goal? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's the goal?
Several of our users got two strange spams (differing only in starting link, one below). The first part is the link. The extra . in front of the domain makes it an invalid name that won't resolve. A mistake???

If you remove the period, and I use my real user-agent string, I get a 404. But if I change it to IE on Win8, I get what looks like fake pharmacy news. But if that's all it is, a pill pushing site, why the user-agent filtering? urlquery and virustotal give the site a clean bill of health.

Anyone know what the goal is?

== Spam sample ==
Subject: Re:


hxxp://.price.poojarosebeauty.com

<fake name>

== Links ==

hxxp://price.poojarosebeauty.com redirects to

hxxp://somelimitlessmind.asia/e9eac2df86c7e854/c53a/62c0/lmf?key=aER5clJOVnFSWGVFYjY4bW5DMkEyVmZtY1lWdzB3NDZUUklXR3BUVm9ta3A5N1ZUeG10Vko3S3hBNkg3RUgyQzFJQmtvRGNkNUZ1ZS9nNUk0dS80QUFPa0dNY2JUT3NXajFoY1JqUjlQR1Fpc3JyMG5ON1VCM0w2TWM0RWRtUVZPNlBkYUFtdEN5SXN4YkcvaU5hZnJnPT0=


URL Query report using IE and Windows user-agent:

http://urlquery.net/report/71e18405-a3ba-448d-87b1-be56497da379
R

36 Posts

Sign Up for Free or Log In to start participating in the conversation!