(The quickest way to register)

Check out our new Mobile App

Forum

  1. User picture
    • NotBuyingIt on Wed 29 Jan 2014
    • 07:03:59 PM UTC

    another 3-script botnet exploit

    Today, a criminal botnet is aggressively spamming deceptive URLs linking to infected websites which use three external JavaScript files to redirect to a "payload" site. This exploit follows a familiar "three scripts" pattern. At the moment, the exploit fraudulent represents itself as American Express (but that may change).

    a payload landing page:
    modernrealtycharlotte.com/americanexpress/

    three JavaScript redirection files:
    Holidaymatrix.com/bushel/maricela.js
    ludus.inet.hr/characteristically/slaughterers.js
    wholeperson.org.hk/counteroffer/spendthrifts.js

    WOT trusted sources already caution about many of the deceptive URLs detected in the spam.

     Data that is stored in the cloud may become lost in the fog.

Comments:

  1. User picture
    • NotBuyingIt on Wed 29 Jan 2014
    • 08:57:04 PM UTC

    RE: another 3-script botnet exploit

    more malicious files —

    JavaScript redirection file:
    javiermartinez.atspace.eu/francisca/tush.js

    deceptive URL in spam:

    championcanopies.com/bacchus/index.html
    msvsc01-g31nc.fm.netbenefit.co.uk/encroaching/index.html
    www.palovics.hu/sweatiest/index.html
    ftp.sagesolutionsinc.com/waive/index.html
    skyprotrading.com/middlebrows/index.html

     Data that is stored in the cloud may become lost in the fog.

  2. User picture
    • NotBuyingIt on Thu 30 Jan 2014
    • 12:19:50 AM UTC

    RE: another 3-script botnet exploit

    more malicious files —

    a payload landing page:
    modernrealtycondos.com/americanexpress/

    JavaScript redirection files:
    kabaitimea.sapte.ro/benefit/monitored.js
    maroncelli.org/bookended/gabbling.js

    deceptive URL in spam:

    188.165.206.52/narcissistic/index.html
    www.palovics.hu/validates/index.html

     Data that is stored in the cloud may become lost in the fog.

  3. User picture
    • NotBuyingIt on Thu 30 Jan 2014
    • 01:06:29 AM UTC

    RE: another 3-script botnet exploit

    more malicious files —

    a payload landing page:
    perfectbackstretch.com/americanexpress/

    deceptive URL in spam:

    61.64.96.64/mumford/index.html
    dailyreport.cffy88.com/battering/index.html

     Data that is stored in the cloud may become lost in the fog.

  4. User picture
    • NotBuyingIt on Thu 30 Jan 2014
    • 01:55:21 AM UTC

    RE: another 3-script botnet exploit

    more malicious files —

    payload landing page(s):
    pawprintessentials.com/americanexpress/
    50.116.5.209/americanexpress/

    deceptive URL in spam:

    036be8e.netsolhost.com/alluvia/index.html
    www.mossandlam.com/inhalations/index.html

     Data that is stored in the cloud may become lost in the fog.

  5. User picture
    • NotBuyingIt on Thu 30 Jan 2014
    • 02:34:50 AM UTC

    RE: another 3-script botnet exploit

    more malicious files —

    deceptive URL in spam:

    76.12.166.243/noodling/index.html
    nrsgroup.com/personifications/index.html
    rview.tv/explores/index.html
    www.tt-roboter.de/ratcheted/index.html
    wampxfer.w1t6pl.com/inculcates/index.html

    See an independent report of this exploit at
    http://www.wizcrafts.net/blogs/2014/01/new_phishing_scam_targeting_american_express_car.html

     Data that is stored in the cloud may become lost in the fog.

  6. User picture
    • NotBuyingIt on Thu 30 Jan 2014
    • 04:09:59 AM UTC

    RE: another 3-script botnet exploit

    more malicious files —

    payload landing page:
    50.56.119.123:8080/americanexpress/

    deceptive URL in spam:

    joesmusicacademy.com/inarticulate/index.html
    joesmusicacademy.com/perplexed/index.html
    joesmusicacademy.com/trimmings/index.html
    joesmusicacademy.com/unhooks/index.html

     Data that is stored in the cloud may become lost in the fog.

  7. User picture
    • NotBuyingIt on Tue 04 Feb 2014
    • 05:19:57 PM UTC

    4 scripts (instead of 3) in these specimens

    manesi-apartments.com/rednecks/index.html
    manesi-apartments.com/startling/index.html

    ftp.brickwallmgmt.com/blinked/gave.js
    esvc000681.wic021tu.server-web.com/seasick/amorally.js
    www.furairgallon.be/cockfights/gounod.js
    www.partytoolbox.com/cuff/plumber.js

    barbiefacialgames.com/americanexpress/

     Data that is stored in the cloud may become lost in the fog.

  8. User picture
    • NotBuyingIt on Tue 04 Feb 2014
    • 06:25:31 PM UTC

    RE: 4 scripts (instead of 3) in these specimens

    4morecashflow.ca/basked/freedman.js

    69.163.47.166/americanexpress/

    Incident reports with safe-to-view screenshots are at
    https://www.phishtank.com/phish_detail.php?phish_i...
    https://www.phishtank.com/phish_detail.php?phish_i...

    [Edit: 04-February-2014 19:00 UTC Added more, below]

    For a much more detailed discussion, see
    http://techhelplist.com/index.php/spam-list/460-important-personal-security-key-phishing

     Data that is stored in the cloud may become lost in the fog.

  9. User picture
    • NotBuyingIt on Tue 04 Feb 2014
    • 07:43:12 PM UTC

    RE: 4 scripts (instead of 3) in these specimens

    02a5bb6.netsolhost.com/unpaved/alligator.js
    ftplawyers.civc.fr/archdeacon/miserable.js
    www.heimtex.ae/negs/arturo.js
    holatorino.it/wishbone/tumbrels.js
    www.instantcard.net/fizzes/rootless.js
    oakadventures.com/urges/belgian.js
    pctechclinic.com/vocalic/tutored.js
    www.theonesolution.biz/importation/reanimates.js
    webexmagazine.com/glitziest/falsely.js

     Data that is stored in the cloud may become lost in the fog.

  10. User picture
    • NotBuyingIt on Tue 04 Feb 2014
    • 10:45:26 PM UTC

    RE: 4 scripts (instead of 3) in these specimens

    bathgames.net/americanexpress/

    I suspect that the botnet has hijacked the following DNS (at IP 37.220.39.130) which is used in the scam.

    NS1.FUTBOLMEYDANI.COM
    NS1.FUTBOLMEYDANI.COM

     Data that is stored in the cloud may become lost in the fog.

  11. User picture
    • NotBuyingIt on Tue 04 Feb 2014
    • 11:18:49 PM UTC

    RE: 4 scripts (instead of 3) in these specimens

    axsysbusinesscredit.com/pluralizes/copulae.js

     Data that is stored in the cloud may become lost in the fog.

  12. User picture
    • NotBuyingIt on Tue 04 Mar 2014
    • 01:44:26 AM UTC

    another run of a 4-scripts exploit

    ftp.brickwallmgmt.com/twinge/index.html
    countydeals.co.uk/belmont/index.html
    expert-log.com/orifice/index.html
    farthing-corner.com/sidetrack/index.html
    geeologee.com/reptile/index.html
    inkmartbusiness.com/reinstated/index.html
    jsmpodcast.info/barest/index.html
    med.eloira.in/amplifier/index.html
    ohsspiritwear.com/jealous/index.html
    stitchconnect.com/methadone/index.html

    autorijschoolotten.nl/cudgelled/dozing.js
    galaxywindowcoverings.com/owes/straggled.js
    ghs.boehmenkirch.de/expectantly/invigorating.js
    www.image-werbebedarf.de/belittle/truffles.js
    infinitefunny.com/lured/squatters.js
    ksv1991.de/wrappings/oscillation.js

    target:
    powerhosting.mobi/fou76zuege

     Data that is stored in the cloud may become lost in the fog.

  13. User picture
    • NotBuyingIt on Mon 19 Jun 2017
    • 03:16:42 PM UTC

    new site evaluation for instantcard.net

    A new site evaluation for instantcard.net has been initiated at
    https://www.mywot.com/forum/68118-instantcard-net

    The malicious javascript file that I reported on 14-February-2014 (above) has apparently been removed or disabled.
     

     Data that is stored in the cloud may become lost in the fog.