Posted by
admin on Sunday, September 16th, 2012 11,955 views
When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image: We have analyzed the website (infected): www (dot) wordpress-how-to-videos (dot) com The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220....
Continue reading...
Posted by
admin on Saturday, June 9th, 2012 60,538 views
We received few emails with subject: Amazon.com Order Confirmation Inside the email message there is a HREF link that redirects users to a malicious web page containing malicious javascript code used to redirect users to the main URL of Blackhole exploit kit: The Blackhole exploit kit URL is: GET /main.php?page=017f3bb5c2be6a41 ...
Continue reading...
Posted by
admin on Friday, June 8th, 2012 11,500 views
We have logged few websites infected with a new injected javascript code that seems to target mainly the websites powered with WordPress and Joomla. Below there is a screenshot of the malicious script: As we can see from the image above, the injected code starts with: <!--Injection_head[SessionID=...]--> And it ends with: ...
Continue reading...
Posted by
admin on Thursday, June 7th, 2012 7,453 views
Our honeypot has logged few new Blackhole Exploit Kit activity. The Java exploit file Set.jar is downloaded: GET /Set.jar HTTP/1.1 content-type: application/x-java-archive User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13 Host: 64.111.24.122 HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Jun 2012 22:43:12 GMT Content-Type: app...
Continue reading...
Posted by
admin on Friday, May 4th, 2012 11,309 views
We have logged a new email that looks like to be sent by LinedIn: The email header info shows it is a scam: Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24]) Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net Date: Fri, 04 May 2...
Continue reading...
Posted by
admin on Friday, April 27th, 2012 27,721 views
Our sandbox has logged various domains with suffix .COM.BR infected with a malicious obfuscated javascript code, that is injected at begin of the HTML pages of the websites, before the initial <html> tag: The malicious script redirects the users to a malicious URL: hxxp:// bylviha .ru/count18.php An example of websites inf...
Continue reading...
Posted by
admin on Friday, March 30th, 2012 2,576 views
We have received few emails that looked like to be sent from LinkedIn: But after checking email header details it was clearly a spam: Return-Path: trtro@www.trt.ro Received: from vps136.whmpanels.com (unknown [89.42.219.181]) Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com Date: Fri, 30 Mar 2012 21:37:47 +...
Continue reading...
Posted by
admin on Saturday, January 28th, 2012 5,353 views
We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this: Your updated information is necessary A screenshot of the email: Other details of the emails: Return-Path: &...
Continue reading...
Posted by
admin on Wednesday, June 22nd, 2011 299,377 views
Users have reported us another website infected by an hidden iframe: hxxp://www.minecraftforum.net/ All web pages are affected! Here is an image of the hidden iframe at the bottom of the HTML pages: When I visted the infected website, NoVirusThanks EXE Radar Pro has displayed an alert of an unknown executable that tried to run i...
Continue reading...
