From: Administrator [mailto:administrator@victimdomain.com]In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri.com/links/landing-philosophy_dry-suspende.php hosted on 50.61.155.86 (Fortress ITX, US). VirusTotal detections are pretty low. I suspect that there are many other malicious sites on this IP, blocking it would be wise.
Sent: 19 November 2012 14:50
Subject: To All Employee's - Important Address UPDATE
To All Employee's:
The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address.
Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=[redacted]
If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=[redacted].
Administrator,
http://victimdomaincom
Monday, 19 November 2012
"W-1" spam / 5.chinottoneri.com
This is a new one, pretending to be from the victim's HR department with tailored fake links in the email that look like they are going to the victim's own domain. Of course, floating over the links reveals that they point to some other domain entirely. A W-1 form is a tax form or some sort from the US Internal Revenue Service.
Subscribe to:
Post Comments (Atom)
2 comments:
Post a Comment