Wednesday, 16 October 2013

Pinterest spam, and the return of the RU:8080 gang?

This fake Pinterest spam leads to a malicious download on

Date:      Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From:      Pinterest []
Subject:      Your Facebook friend Andrew Hernandez joined Pinterest

A Few Updates...
Andrew Hernandez    

Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the community!
Visit Profile
Happy pinning!

©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
Andrew is a pretty feminine looking bloke. The link in the email goes through a legitimate hacked site and then ends up on a fake browser download page (report here) that attempts to download [donotclick]  which has a VirusTotal detection rate of just 1/48 (only Kaspersky detects it.. again).

The ThreatTrack report [pdf] looks like peer-to-peer Zeus to be, the Malwr report and Comodo CAMAS report also give some insight. is registered to the infamous Russian "private person" and is hosted on the following IPs: (Intergenia AG, Germany) (RapidDSL & Wireless, US)
The domain is also hosted on these IPs.

What's interesting is that was seen here months ago, which makes this look like the unwelcome return of the RU:8080 gang after a long absence.

Recommended blocklist:

The malware page uses a similar script to that used here although with the rather cheeky comment

// It's "cool" to let user wait 2 more seconds :/

1 comment:

zabon said... TAKE VACATIONS NOW