Sponsored by..

Monday 19 November 2012

"W-1" spam / 5.chinottoneri.com

This is a new one, pretending to be from the victim's HR department with tailored fake links in the email that look like they are going to the victim's own domain. Of course, floating over the links reveals that they point to some other domain entirely. A W-1 form is a tax form or some sort from the US Internal Revenue Service.

From: Administrator [mailto:administrator@victimdomain.com]
Sent: 19 November 2012 14:50
Subject: To All Employee's - Important Address UPDATE

To All Employee's:

The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address.
Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=[redacted]
If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=[redacted].

 Administrator,
http://victimdomaincom
In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri.com/links/landing-philosophy_dry-suspende.php hosted on 50.61.155.86 (Fortress ITX, US). VirusTotal detections are pretty low. I suspect that there are many other malicious sites on this IP, blocking it would be wise.

2 comments:

bneises said...
This comment has been removed by the author.
bneises said...
This comment has been removed by the author.