We recently updated URLVoid website: - Optimized the report page (example) - Show MyWOT reputation - Show connection details, such as HTTP response code, connect time, etc - Capture external URL redirections (screenshot, report) - Show server geolocation map - Show more geo information about an IP address - Show detailed traffic...
Continue reading...

Seems that spammers prefer WordPress as blogging platform used to advertise pharmaceutical keywords. We noted a lot of websites compromised and used to host custom installations of WordPress, hidden in subfolders, to promote keywords related to pharmaceutical products. We checked approximately 30 spammed URLs and we noted that t...
Continue reading...

When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image: We have analyzed the website (infected): www (dot) wordpress-how-to-videos (dot) com The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220....
Continue reading...

URLVoid API is a free service (for non commercial use) that allow users to query our database of already analyzed domains and receive, in XML format, detailed details about each submitted domain. The URLVoid API supports multiple domains in one single query, so you can submit 250 domains and receive details of each domains in [....
Continue reading...

Phishing email against PayPal users: Header details: Received: from mail14j.g14.rapidsite.net (mail14j.g14.rapidsite.net [128.121.64.175]) Received: from ca1-mx26.mlpsca01.us.mxservers.net (128.121.64.172) by mail14j.g14.rapidsite.net Received: from unknown [128.121.143.147] (EHLO mmm1430.rapidsite.net) by ca1-mx26.mlpsca01.us.m...
Continue reading...

We received few emails with subject: Amazon.com Order Confirmation Inside the email message there is a HREF link that redirects users to a malicious web page containing malicious javascript code used to redirect users to the main URL of Blackhole exploit kit: The Blackhole exploit kit URL is: GET /main.php?page=017f3bb5c2be6a41 ...
Continue reading...

We have logged few websites infected with a new injected javascript code that seems to target mainly the websites powered with WordPress and Joomla. Below there is a screenshot of the malicious script: As we can see from the image above, the injected code starts with: <!--Injection_head[SessionID=...]--> And it ends with: ...
Continue reading...

Our honeypot has logged few new Blackhole Exploit Kit activity. The Java exploit file Set.jar is downloaded: GET /Set.jar HTTP/1.1 content-type: application/x-java-archive User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13 Host: 64.111.24.122 HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Jun 2012 22:43:12 GMT Content-Type: app...
Continue reading...

New phishing email used to spread HTML files with fake PayPal login forms: Header details: Received: from ns3.komvos.gr (ns3.komvos.gr [88.198.65.153]) Received: by ns3.komvos.gr (Postfix, from userid 48) Subject: Attention ! Votre compte PayPal a été limité ! From: Service Paypal Date: Mon, 4 Jun 2012 13:00:12 +0300 (EEST) C...
Continue reading...

Another phishing email against Italian users of Mastercard / Visa: Header details: Received: from mail.oceano.hn (mail.oceano.hn [63.161.65.43]) Received: from User ([62.215.140.237]) by oceano.hn with MailEnable ESMTP; Fri, 25 May 2012 08:04:39 -0600 Subject: Abbiamo limitato l'accesso visa/mastercard account. Si prega di atten...
Continue reading...