Category Archives: Security

How to identify fake shopping websites

When you want to buy something on Internet, you generally search for cheap clothes, or cheap shoes, but that is not always the best way to find a trusted and legit shopping website. Many scam websites are located on the top pages on Google search engine when you search for a brand name followed by the word “cheap”, “cheapest” or “wholesale”.

Fake shopping websites are similar to any other legit e-commerce website, with a good HTML template, with all the logos related to payments accepted, such as credit cards, paypal, etc and with logos related to (fake) trustworthiness certificates.

Now I will tell you few ways to identify fake shopping sites, taking as example:

hxxp://gstarshopengland.com/ ---> fake shopping website

fake-shopping-site-template

1) Check the website with URLVoid

Before buy something from a website, I would recommend to always check the website with our free service URLVoid, so the website can be analyzed with multiple scanning engines to facilitate the detection of malicious and fraudulent websites.

2) Look at the prices, low prices are not always good

When you see too low prices, with discounts of 50%, 55% or even more, you should become a bit suspicious. The website may promote low prices to quickly sell the fake or inexistent items, before that their website become detected as fraudulent by security software and services.

3) Check the footer text and look for the company name

fake-shopping-site-footer

From the footer you can read this text:

Copyright C 2005-2011 G Star jackets for men Sale Powered by www. gstarshopengland .com All Rights Reserved.

Is the name “G Star jackets for men Sale Powered” a legit company name ? Of course it is not. There is no reference to a legit company name, an address or a contact information. Every legitimate and trusted website should always have the name of the company located in the footer near the copyright text, with at least the company’s address or the company’s VAT/IVA ID (if in EU).

4) Compare the copyright date with the domain creation date

The website states it was born in 2005 with the text “Copyright 2005-2011”, but if you do a whois lookup on the domain name, you can clearly see that the website was created on 19 August 2013, only few months ago:

Updated Date: 19-aug-2013
Creation Date: 19-aug-2013
Expiration Date: 19-aug-2014

5) Avoid buying clothes from young websites

With a whois lookup, make sure to always check the domain creation date, if the domain name was registered only few months ago, I would recommend you to not buy anything because there are not enough details to tell if the website is a legit website or a fraudulent website.

6) Check who is the owner of the website

From the whois data, you can see that the website was registered in Beijin (China):

Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN

The name servers are also Chinese (.CN):

Name Server: NS13.DNS.COM.CN
Name Server: NS14.DNS.COM.CN

The organization name is also Chinese:

Organisation Name.... yanfang li
Organisation Address. xiantaoshishahuzhenfenglecun1zu55hao
Organisation Address.
Organisation Address. Jingzhou
Organisation Address. 433019
Organisation Address. HB
Organisation Address. CN

The email and telephone number of the website owner are also Chinese:

Tech Email........... xiandailihao@163.com
Tech Phone........... +86.7282640476
Tech Fax............. +86.7282640476

Personally, I would not buy G-Star clothes from a website that was registered in China, I would prefer to buy them from the official store or from other stores near the place where I live, so I can more easily make a telephone call to the owner or visit their shop directly in case of a problem.

7) Make sure the website has HTTPS support

fake-shopping-site-no-ssl

When you try to buy an item, if you go to the checkout, you can see that there is no secure connection HTTPS, every legitimate e-commerce website should have HTTPS support when the user is supposed to insert sensitive information or credit card details. I would never buy something from a website that has no HTTPS support.

8) Visit the about or contacts page to find valid contact information

fake-shopping-site-no-contacts

As you can see from the above image, the website has no information about how to contact the shop, such as a telephone number, an email address, or the company’s address. I would never buy something from a shopping website that has only a contact form, I prefer to have a phone number, a valid email address and a valid company’s address to verify. Take in mind that most scam websites use public email addresses, such as @gmail.com, @yahoo.com, @163.com, @hotmail.com, etc. A legitimate website should use the website’s email address, for example info@website.com.

9) Analyze the domain name string

If you see a website that has the domain name similar to: buy-cheap-shoes.com, or buycheapshoes.com, or super-cheap-shoes.com, or jordanairmaxshop.com, or wholesalenikeshoes.com, gstarshoppingengland.com or similar, you should avoid buying something from there. A legit website, should not contain the brand name in the domain name and should not contain the word “cheap”, “cheapest”, “wholesale”, etc.

10) Make sure the English language is correct

Even if a legitimate website may contain grammar errors, some fake shopping sites may have a lot of grammar errors, so make sure to read few pages and check the language grammar, if you see too many errors, you may become a bit suspicious on the trustworthiness of the website.

11) Google is your friend to search information about a website

You can search on Google more information about a suspicious website, such as you can search the telephone number, the email address, the website owner name, the organization name, or simply search if other users had a bad experience with that website. You can also search the IP address on Google, to see if there are other useful information about that IP.

12) Analyze the websites hosted in the same IP address

urlvoid-ip-address-websites

If a website comes up as clean on URLVoid, you can always analyze if there are other websites hosted in the same IP address, that are malicious or detected by other scanning engines. URLVoid offer the possibility to see how many websites are hosted in an IP address, but you can also search on Google to see if another website has more information.

13) Analyze the website’s IP address with IPVoid

I would recommend to scan the IP address of the website with IPVoid, a free service used to better know if an IP address has been blacklisted by anti-spam services or if it has participated in illicit activities.

This post may be updated with time, so keep an eye here.

Malware: UPS Delivery Notification Tracking Number

We recently logged some emails with attached two suspicious files:

ups-malware

As you can see, the email has a subject and an address that may seem coming from the UPS, but in reality the email is a scam and it is used to spread as attachment a file named invoiceCM0V9ORWJF23KX8PAP.PDF.exe, that is the executable file of the (in)famous Zbot trojan, used by cybercriminals to monitor the PC of the victims and to steal bank data and other sensitive information.

More information about the attached file:

File: invoiceCM0V9ORWJF23KX8PAP.PDF.exe
Size: 167.2 KB ( 171261 bytes )
SHA256: 2695e33e671c4eee1e55ad534d9b33445a56b8ffeff50b7c63fa12f266de1088
SHA1: 3c0e4f12faef99cc80f8a091a8210b34a2c7c9fb
MD5: 015e60d0ddff09d7df66d926d3793cc8

WordPress-how-to-videos(dot)com Spreads Java Exploits

When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image:

We have analyzed the website (infected):

www (dot) wordpress-how-to-videos (dot) com

The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220.34.22 (330.hostserv.eu). The server machine is located in Switzerland (CH) and in the same server there are hosted other 0 websites. The domain is registered with the suffix COM and the keyword of the domain is wordpress-how-to-videos. The organization is hosttech GmbH.

The above website is used to redirect users to a malicious URL that tries to exploit the user’s browser with a Java exploit, as you can see from this image:

Java Exploit

The malicious redirect is activated only if the user browse the malicious website with a referer that contains the string of search engines, such as Google. Using the free service HTML Sniffer we can simulate the Google referer and we can see that we are redirected to the exploit URL:

The exploit URL seems to be updated very frequently:

garliccommercial .ru /pavilion?8
midwaydance .ru /pavilion?8

Both malicious URLs are hosted in this IP address:

206.53.52 .13

The Java exploit is loaded from another malicious URL:

ypcbpukqt. lflinkup .com /PJeHubmUDaovPDRCJxGMEzlYXdvvppcg

Pay attention when clicking on websites of your Twitter followers!

Amazon.com Order Confirmation leads to Blackhole Exploit Kit

We received few emails with subject:

Amazon.com Order Confirmation

Inside the email message there is a HREF link that redirects users to a malicious web page containing malicious javascript code used to redirect users to the main URL of Blackhole exploit kit:

Amazon.com fake order page

The Blackhole exploit kit URL is:

GET /main.php?page=017f3bb5c2be6a41 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adnroidsoft .net

Fortunately the domain is not anymore active.

New Malicious Injected Code: Injection_head and Injection_tail

We have logged few websites infected with a new injected javascript code that seems to target mainly the websites powered with WordPress and Joomla. Below there is a screenshot of the malicious script:

Image

As we can see from the image above, the injected code starts with:

<!--Injection_head[SessionID=...]-->

And it ends with:

<!--Injection_tail[SessionID=...]-->

Spam “Your Bill Me Later notice” leads to Incognito exploit kit

Users have reported another malicious email message with subject “Your Bill Me Later notice” that states you have made a payment over the phone of $60.12 to Bill Me Later website. The email body is full of HREF links that point to a lot of malicious URLs, view a screenshot of the email message:

Your Bill Me Later notice

Email header details:

Received: from server.serverhk.net (69-164-193-60.magicnic.com [69.164.193.60])
Received: from [200.76.191.2] (helo=askokay.com) by server.serverhk.net with esmtpsa
Received: from [192.245.26.33] by m1.gns.snv.thisdomainl.com with SMTP; Wed, 16 May 2012 21:04:47 +1000
Received: from [68.117.211.36] by mailout.endmonthnow.com with NNFMP; Wed, 16 May 2012 20:54:02 +1000
Date: Wed, 16 May 2012 20:50:24 +1000
From: "Advera" askokay@askokay.com
Subject: Your Bill Me Later notice

The malicious extracted URLs are:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
hxxp:// www. studiobarsotti .it /3oXGcu61/index.html
hxxp:// www. eventosabsolue .com /qh8xhoi8/index.html
hxxp:// foxpublicidade .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// 76.12.158 .176 /3oXGcu61/index.html
hxxp:// 76.12.158 .176 /yWyXU9NU/index.html
hxxp:// www. eventosabsolue .com /ZmUaukzG/index.html
hxxp:// ewaleczek. cal24 .pl /5CY4dSwa/index.html
hxxp:// www. eventosabsolue .com /h03NraKE/index.html
hxxp:// foxpublicidade. com .br/yWyXU9NU/index.html
hxxp:// www. hso. co. jp/yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit .pl /yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit. pl /smWHegmd/index.html
hxxp:// ftp.joblines .sk /ri8ZKUip/index.html
hxxp:// www. sacmilani. com. ar /uvoNJPhk/index.html
hxxp:// foxpublicidade. com. br /smWHegmd/index.html
hxxp:// www. studiobarsotti .it /hTVbWtV1/index.html
hxxp:// jahu. com. br /FW3s2g0r/index.html
hxxp:// onecursos .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// www. studiobarsotti .it /yWyXU9NU/index.html
hxxp:// www. kayafamily .it /ZmUaukzG/index.html

Using URL Dump we can dump the HTML content:

Dumped HTML Content

From the dumped data, we can see it is the Incognito exploit kit.

Extacted malicious URLs:

hxxp:// bigdeal . my/ZyYJZ7F0/js.js

The malicious URLs redirect users to another malicious URL:

hxxp:// 69.163.34. 134 /showthread.php?t=977334ca118fcb8c

If we use URL Dump and we set the user-agent to Java, when we dump the content of the new malicious URL we can see it recognises from the user-agent that the user is using Java and the exploit tries to serve the infected Java applet:

Dumped Data

More Malicious Links Spammed to Twitter Users

Another malicious link received by an user via Twitter:

hxxp:// profitscoaching .info /index.php?eVTv=1336686044437

Whois details:

Domain Name: profitscoaching .info
Registrar: GoDaddy.com LLC (R171-LRMS)
Status: CLIENT DELETE PROHIBITED, CLIENT RENEW PROHIBITED, CLIENT TRANSFER PROHIBITED, CLIENT UPDATE PROHIBITED
Expiration Date: 2013-03-07 14:59:08
Creation Date: 2012-03-07 14:59:08
Last Update Date: 2012-05-06 20:39:46
Name Servers:
ns61.domaincontrol.com
ns62.domaincontrol.com
 
Registrant Contact Information:
Name: Registration Private
Organization: Domains By Proxy, LLC
Address 1: DomainsByProxy.com
Address 2: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Scottsdale
State: Arizona
Zip: 85260
Country: US
Phone: +1.4806242599
Fax: +1.4806242598

Hosting details:

The website profitscoaching .info is hosted at WholeSale Internet and its current IP address is 173.208.196.245 (-). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is profitscoaching. The organization is Gold VIP Club.

The malicious link redirects users to another malicious link:

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.6.32
Date: Fri, 11 May 2012 22:55:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.6-1+lenny16
Set-Cookie: PHPSESSID=1bff1c2b505aa2004bda6028bb28ad0a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: hxxp:// aooale .info /ytb/redirect.php

Extracted malicious link:

hxxp:// aooale .info /ytb/redirect.php

Whois details:

Domain Name: aooale .info
Registrar: GoDaddy.com LLC (R171-LRMS)
Status: CLIENT DELETE PROHIBITED, CLIENT RENEW PROHIBITED, CLIENT TRANSFER PROHIBITED, CLIENT UPDATE PROHIBITED
Expiration Date: 2012-09-21 13:41:55
Creation Date: 2011-09-21 13:41:55
Last Update Date: 2011-11-20 20:41:26
Name Servers:
ns49.domaincontrol.com
ns50.domaincontrol.com
 
Registrant Contact Information:
Name: Registration Private
Organization: Domains By Proxy, LLC
Address 1: DomainsByProxy.com
Address 2: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Scottsdale
State: Arizona
Zip: 85260
Country: US
Phone: +1.4806242599
Fax: +1.4806242598

Hosting details:

The website aooale.info is hosted at DirectSpace Networks, LLC. and its current IP address is 174.140.169.101 (-). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is aooale. The organization is DirectSpace Networks, LLC.

URLVoid scan reports:

http://urlvoid.com/scan/aooale .info
http://urlvoid.com/scan/profitscoaching .info

Other malicious links:

hxxp:// ioi8 .info /gps
hxxp:// bp9 .info /mobi/redirect.php
hxxp:// iso8 .info /lg
hxxp:// jay8 .info /b2d
hxxp:// saov .info /mobilemoneymachines/

The malicious links where users are generally being redirected seem scam pages:

Fake Make Money Sites

The scam pages show fake images of people that take in hand a check and promote the “Work at home mum makes

Spam link on Twitter leads to Fake Antivirus Rogue Software

One user has reported us a malicious URL that is being sent as a private message to the users that are registered on Twitter, the extracted malicious link is:

hxxp:// www. delicious-audio .com /wp-content

If clicked, it redirects users to a new malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: hxxp:// blog.keeples .com /wp-content
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 27
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// blog.keeples .com /wp-content

Now there is a new redirect to another malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:13 GMT
Server: Apache/2.2.3 (CentOS)
Location: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/

This is the link of the web page of the fake antivirus rogue software.

Whois details:

Domain Name: spywarecleanermicrosoft.info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:32:40
Creation Date: 2012-05-08 11:32:40
Last Update Date: 2012-05-08 11:33:15
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Gerolamo Genovese
Address 1: Via Bernardino Rota 1
City: Mellana
State: CN
Zip: 12012
Country: IT
Phone: +39.3535605212
Email: kinsman@doramail.com

Hosting details:

The website spywarecleanermicrosoft .info is hosted at BurstNET Limited and its current IP address is 31.193.12.3 (31-193-12-3.static.hostnoc.net). The server machine is located in United Kingdom (GB) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is spywarecleanermicrosoft. The organization is BurstNET Limited.

Screenshot of the fake warning message:

Fake Warning Message

Screenshot of the fake scanning web page:

Fake Scanning Page

From the above images we can see that it is distributed the fake rogue security software named Windows Antivirus 2012. After the fake system scanning is finished, the user is prompted to downloaded an executable file named setup.exe:

Downloaded File

The file is downloaded from a new malicious website:

GET /0520091375cbc551/setup.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: scannerdatamicrosoft .info

Whois Details:

Domain Name: scannerdatamicrosoft .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:11:28
Creation Date: 2012-05-08 11:11:28
Last Update Date: 2012-05-08 11:12:08
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: milner@snail-mail.net

Domains Details:

The website scannerdatamicrosoft .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.13 (hst-10-13.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is scannerdatamicrosoft. The organization is Webhosting, collocation services.

File details:

File: setup.exe
Size: 2278400 bytes
MD5: EC91E0F31587F6471A4EBCFE2681A45B
SHA1: 0AB7F7253F5CBADF6D664781A73D30A19E251FCA
SHA256: 67DFD917561DF7FE653CE5E0CD7E0688E42B719F1BB475A5EE2819003CE6DC6A
SHA384: 77BB9D7DF670BC9F4C91DED341086C30570E6D9AE14BEE1A172F502CA5C502428FC631B9F88A31CECF290B7CFB1C5FA2
SHA512: 85D1F0608D24DD2B15477EAC540666319831F829B7E8065D9E5B8A2AC5D4860486BCA891FA95DBBBB8EB93834485575108EE957C5AD556EFBA9FDA5824D2C780

When executed the file setup.exe, the rogue software drops two .EXE files:

Dropped .EXE files

File Modified - %SAMPLE% - %AppData%\Protector-phkm.exe
Process Created - %SAMPLE% - %AppData%\Protector-phkm.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-phkm.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 6D778E0F95447E6546553EEEA709D03C - 389120 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 2278400 bytes
File Modified - %SAMPLE% - %AppData%\Protector-tpqx.exe
Process Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE

And this is the screenshot of the splash screen of the rogue software:

windows-prosecurity-scanner-fake-antivirus

More screenshots of the rogue software:

GUI

When the user click on “Activate” button, the rogue software executable opens a new Internet Explorer web page where user is supposed to insert his/her credit card details (that will be stolen by the trojan), here is the screenshot of the malicious web page:

Fraud Page

Connections logged:

GET / HTTP/1.0
Accept: application/x-shockwave-flash, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www. cmyip .com
Connection: Keep-Alive
 
GET /service/ HTTP/1.0
User-Agent: Mozilla/4.0
Host: 0520091375cbc551 .on-linepaysafery .info
 
POST / HTTP/1.0
Accept: application/x-shockwave-flash, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551. on-linepaysafery .info
Content-Length: 109
Connection: Keep-Alive
Pragma: no-cache
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a
action=form&projectId=72&partnerId=146&subId=0&install_id=yhstmcvcgj&group_name=2011-3-28_1&reason=errorflash
 
GET /payment_forms/default/images/sprite.png HTTP/1.0
Accept: */*
Referer: hxxp://0520091375cbc551 .on-linepaysafery .info /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551 .on-linepaysafery .info
Connection: Keep-Alive
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a

Malicious links extracted:

hxxp:// 0520091375cbc551. on-linepaysafery .info /service/

Whois Details:

Domain Name: on-linepaysafery .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 08:24:44
Creation Date: 2012-05-08 08:24:44
Last Update Date: 2012-05-08 08:26:02
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: sini@wildmail.com

Domain details:

The website www.on-linepaysafery .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.15 (hst-10-15.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 2 websites. The domain is registered with the suffix INFO and the keyword of the domain is on-linepaysafery. The organization is Webhosting, collocation services.

URLVoid scan reports:

http://www.urlvoid.com/scan/delicious-audio .com
http://www.urlvoid.com/scan/spywarecleanermicrosoft .info
http://www.urlvoid.com/scan/0520091375cbc551. on-linepaysafery .info
http://www.urlvoid.com/scan/on-linepaysafery .info
http://www.urlvoid.com/scan/blog.keeples .com
http://www.urlvoid.com/scan/scannerdatamicrosoft .info

Link LinkedIn Mail leads to Incognito exploit kit

We have logged a new email that looks like to be sent by LinedIn:

Scam Email

The email header info shows it is a scam:

Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24])
Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net
Date: Fri, 04 May 2012 08:34:11 -0700
From: "Order" @fixnot.com.tr
Subject: Link LinkedIn Mail

The email body contains also few malicious links:

hxxp:// gopeshmathur .com/ZgUBqavg/index.html

The dumped content of the URL is clear a Incognito exploit kit:

Incognito exploit kit URLs

All the new malicious links are still alive and they redirect users to:

Incognito exploit kit

The Java exploit JAR files are downloaded from:

hxxp:// 50.116.8. 93 /data/Pol.jar
hxxp:// 69.163.34 .114 /data/Pol.jar
File: Pol.jar
Size: 15404 bytes
MD5: 020B0B477706596E71DE25286ED77991
SHA1: C196A7B07BFE3D3593E93F7D98E910FA8E63AFF6
SHA256: F76AC6983135C7A69B5F07BC762F1AA478E2D49489090AC66882BC8065D1862B
SHA384: 9C6BF2971E1F86588A9A08A3F18C096FBC62A42CE6927E0A7D0AFDB56DA01DBC4A6F72F742CC62B510FC1085221753D5
SHA512: 5464424E028620C4821B740B89787C7A75E6A56401F98BD15BA94F1A9268D54411E41E97DAE86468F4BDA54160A023DCC45F134E97BC6655E31C9274F8A21FC0

The JAR file exploits the vulnerability in the Java Runtime Environment component of Oracle Java SE (CVE-2012-0507), more details from the oracle.com website:

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.

Other malicious Incognito exploit kit URLs:

hxxp:// ftp.coden .com .br /BhxC8VrP/index.html
hxxp:// generalcontractorsnc .com/nUUyHyvy/index.html
hxxp:// mccgedvalenca .com .br/JFs10e34/index.html
hxxp:// radiooisvira .com /mRpNLgWY/index.html
hxxp:// statisticsolympiad .org /gR2aietM/index.html

URLVoid scan reports:

http://www.urlvoid.com/scan/gopeshmathur .com
http://www.urlvoid.com/scan/jombangit .com
http://www.urlvoid.com/scan/shahinvestment .com
http://www.urlvoid.com/scan/mazyamana .com
http://www.ipvoid.com/scan/72.5.102.224
http://www.urlvoid.com/scan/ftp.coden .com .br
http://www.urlvoid.com/scan/generalcontractorsnc .com
http://www.urlvoid.com/scan/mccgedvalenca .com .br
http://www.urlvoid.com/scan/statisticsolympiad .org
http://www.urlvoid.com/scan/radiooisvira .com

Com.Br Websites Infected with Maliciour JS Code (count18.php)

Our sandbox has logged various domains with suffix .COM.BR infected with a malicious obfuscated javascript code, that is injected at begin of the HTML pages of the websites, before the initial <html> tag:

Obfuscated JS code

The malicious script redirects the users to a malicious URL:

hxxp:// bylviha .ru/count18.php

An example of websites infected:

hxxp:// carboniferacatarinense .com .br/
hxxp:// www. csir-iir. org/
hxxp:// www. terapets .com/

Sometimes the malicious script is injected inside the <title> tag:

JS Injected in Title TAG

URLVoid reports of malicious domains:

http://www.urlvoid.com/scan/bylviha .ru
http://www.urlvoid.com/scan/carboniferacatarinense .com .br
http://www.urlvoid.com/scan/csir-iir. org
http://www.urlvoid.com/scan/terapets .com