Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: E-mails with malicious links targeting Australia - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
E-mails with malicious links targeting Australia
We've received couple of reports about e-mails being spammed which contain browser exploits. What's interesting about this is that they are targeting Australia.

All e-mails we've received have the same content, but the URL seems to be moving around. The body is pasted below:

"People starting panic withdrawals, some of the accounts were reported closed due to technical reasons, many ATMs are not operating. Does it seem that one of the Australia's greatest goes bankrupt? The full story could be found here: <URL>
Well, hope that isn't true... Anyway You'd rather check your balance..."

The URL contains an obfuscated JavaScript. The JavaScript code will check which browser the user is running and will redirect him to the appropriate exploit, served by a CGI script.
The JavaScript will also detect if a user is running Service Pack 2, and append that information as a CGI parameter as well.

The following Internet Explorer vulnerabilities are exploited:

MS03-011
MS06-006
MS06-014

And one Mozilla FireFox vulnerability is exploited as well:

MFSA2005-50

For FireFox user, there is good add-on tool for preventing malicious Javascripts. The add-on tool called "NoScript". You can find more information following site : 
https://addons.mozilla.org/firefox/722/


I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS London July 2019

Bojan

379 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!