CME711: Happy Valentines Day and Halifax phish
The CME711 gang has changed their tactics again. We've started seeing emails in our mail drops with pointers to nodes serving "withlove.exe" and "with_love.exe".
So far they have reverted back to sending IP's in the email body, which makes it easy for most spam filters to catch.
The website code looks the same as in previous runs, with false binaries in comments and the greeting:
The link is a javascript: document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A' ) );
That javascript translates to withlove.exe -- Additionally there is an image of a pink heart on the page that links to with_love.exe. You may wish to update your snort signatures.
Additionally we're tracking a phish using stormworm fastflux nodes with the domain ibank-halifax.com.
So far they have reverted back to sending IP's in the email body, which makes it easy for most spam filters to catch.
The website code looks the same as in previous runs, with false binaries in comments and the greeting:
Your download should begin shortly. If your download does not start
in 10-20 seconds, you can click hereto launch the download
and then press Run
The link is a javascript: document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A' ) );
That javascript translates to withlove.exe -- Additionally there is an image of a pink heart on the page that links to with_love.exe. You may wish to update your snort signatures.
Additionally we're tracking a phish using stormworm fastflux nodes with the domain ibank-halifax.com.
posted by Nicholas at
20:53
1 Comments:
Confirm.
IP from mail, that i got: 69.154.197.28
The with_love.exe file exists. Haven't analysed the file yet. Greetings.
Post a Comment
<< Home