Phishing & BotNets
FW: You've got a Yahoo! Greeting May 17 2006 08:21AM
John Uhlmann (john uhlmann anu edu au) (1 replies)
Re: FW: You've got a Yahoo! Greeting May 18 2006 01:13AM
Matthew McGlashan (matthew auscert org au)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi John,

We have been seeing a steady stream (but not in great amounts) of these
yahoo greeting card spam runs. This one links to (please be careful with
this link):

http://www. drs-wetzels. nl/counter. htm

Which is contains a wealth of OS, IE and JVM version detections scripting
- - all to ensure you get the appropriate exploit delivered to you.

Interestingly this drs-wetzels domain was compromised and used in October
last year for a similar style of attack but then the subject of the spam
run was "KEZAAM! SecuryTeam Order" - more details of that one per our
alert:

http://www.auscert.org.au/render.html?it=5640

We'll send a note to the hoster of drs-wetzels and try to get the site
cleaned.

Hope this helps,

- -- Matthew McGlashan --
Coordination Centre Team Leader | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct: +61 7 3365 7924
(AusCERT) | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
Qld 4072 Australia | Email: auscert (at) auscert.org (dot) au [email concealed]

> Try #2. In plain text. I edited the email slightly to make it more
> readable.
>
> Date: Wed, 17 May 2006 17:57:36 +1000
> From: John Uhlmann <john.uhlmann (at) anu.edu (dot) au [email concealed]>
> Subject: FW: You've got a Yahoo! Greeting
> To: au-abuse (at) yahoo-inc (dot) com [email concealed]
> Cc: mdannatt (at) longmeadowconsulting (dot) com [email concealed], hostmaster (at) startlogic (dot) com [email concealed],
> webmaster (at) pickaweb.co (dot) uk [email concealed], doi.helpdesk (at) anu.edu (dot) au [email concealed],
> phishing (at) securityfocus (dot) com [email concealed]
>
> Yahoo!,
> This is not abuse of a Yahoo! account, but rather a phishing attack
> disguised as a Yahoo! Greeting. I couldn't find an explicit means to
> report phishing attacks, but figured reporting it as abuse was close
> enough.
>
> I've CCed the contacts for the armourbilt.com domain as they are either
> complicit or have been exploited and are now the platform whereby the
> exploit is launched.
> I've CCed the contact for the hostingseries40.net domain as the phishing
> attack is probably launched from their domain.
> I've CCed the ANU helpdesk as I figure they'd like to know what's going
> on their network.
> I've CCed securityfocus.com because I hear that they like to know about
> phishing attacks.
>
> The text of the original email is attached, but I've included a copy of
> the SMTP headers for completeness.
>
> Cheers,
>
> John
>
>
> ----- SMTP headers -----
> Received: from anumail5.anu.edu.au ([150.203.2.45])
> by messaging2.anu.edu.au (Sun Java System Messaging Server 6.2-4.03
> (built Sep
> 22 2005)) with ESMTP id <0IZE00AQN01ILJA0 (at) messaging2.anu.edu (dot) au [email concealed]> for
> u9915240 (at) anumail.anu.edu (dot) au [email concealed]; Wed, 17 May 2006 11:56:06 +1000 (EST)
> Received: from host.hostingseries40.net
> (host.hostingseries40.net [209.59.136.85])
> by anumail5.anu.edu.au (8.13.6/8.13.6) with ESMTP id k4H1trHZ015851
> for
> <john.uhlmann (at) anu.edu (dot) au [email concealed]>; Wed, 17 May 2006 11:56:05 +1000 (EST)
> Received: from nobody by host.hostingseries40.net with local (Exim 4.52)
> id 1FgBGV-0007Dd-0S for john.uhlmann (at) anu.edu (dot) au [email concealed]; Wed,
> 17 May 2006 02:55:33 +0100
> Date: Wed, 17 May 2006 02:55:33 +0100
> From: greetings (at) reply.yahoo (dot) com [email concealed]
> Subject: You've got a Yahoo! Greeting
> To: john.uhlmann (at) anu.edu (dot) au [email concealed]
> Reply-to: greetings (at) donotreply.yahoo (dot) com [email concealed]
> Message-id: <E1FgBGV-0007Dd-0S (at) host.hostingseries40 (dot) net [email concealed]>
> MIME-version: 1.0
> Content-type: text/html
> X-AntiAbuse: This header was added to track abuse,
> please include it with any abuse report
> X-AntiAbuse: Primary Hostname - host.hostingseries40.net
> X-AntiAbuse: Original Domain - anu.edu.au
> X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
> X-AntiAbuse: Sender Address Domain - host.hostingseries40.net
> X-Source:
> X-Source-Args:
> X-Source-Dir:
> X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.3.0.1,
> Antispam-Data: 2006.5.16.181107 external
> X-Perlmx-Spam: Gauge=XI, Probability=11%, Report='CTYPE_JUST_HTML 0.848,
> NO_REAL_NAME 0, _PHISH_NO_REPLY 0, __CP_URI_IN_BODY 0, __CT 0,
> __CTYPE_IS_HTML 0, __HAS_MSGID 0, __MIME_HTML 0, __MIME_HTML_ONLY 0,
> __MIME_VERSION 0, __SANE_MSGID 0, __STOCK_SUBJ_9 0, __TAG_EXISTS_HTML
> 0'
>
>
> -----Original Message-----
> From: greetings (at) reply.yahoo (dot) com [email concealed] [mailto:greetings (at) reply.yahoo (dot) com [email concealed]]
> Sent: Wednesday, 17 May 2006 11:56 AM
> To: john.uhlmann (at) anu.edu (dot) au [email concealed]
> Subject: You've got a Yahoo! Greeting
> Importance: High
>
> <html><body>
> Surprise! You've just received a Yahoo! Greeting<br><br>
> To view this greeting card, click on the following
> Web address at anytime within the next 30 days.<br>
> <a
> href='http://www.armourbilt.com//card_.html?a=http://au.view.greetings.y

> ahoo.com/greet/view&YBADLEFGQESUB'>http://au.view.greetings.yahoo.com/gr

> eet/view?EQRQSYAJNZLRS</a><br><br>
> Enjoy!<br><br>
> The Yahoo! Greetings Team<br><br>
> -------------------------<br>
> Yahoo! Greetings is a free service. If you'd like to send someone a<br>
> Yahoo! Greeting, you can do so at <a
> href='http://au.greetings.yahoo.com/'>http://au.greetings.yahoo.com/</a>

> <br>
> </body></html>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRGvKUCh9+71yA2DNAQIkrgQAjcgd7hW0SviwpNvCfYo1aaLQo9lP/kKy
f2oqHPvhDNrCve2zjAhcajIKGHcW7VbP7CMBXYUZKDB4Z721ZaNAND1zwlu18k+Q
CcjxZBbR4Z4TeN6q9lseRWaJq/aXvufTot3OQz+UrFyhYoTfEwP6BB/q0Huv+FZJ
Yw+zwbUjpcQ=
=8CMr
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus