Sample 1:
From: Graham Jarvis [mailto:alejandro.alfonzo-larrain@tctwest.net]Sample 2:
Sent: 17 April 2013 09:49
Subject: Video of Explosion at the Boston Marathon 2013
hxxp:||61.63.123.44/news.html
From: Sally Rasmussen [mailto:artek33@risd.edu](Note that the payload links have been lightly obfuscated, don't click them).
Sent: 17 April 2013 09:49
To: UK HPEA 2
Subject: Aftermath to explosion at Boston Marathon
hxxp:||190.245.177.248/news.html
If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv.com/wmiq.html (report here) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.
Some more sample subjects and links:
Subject: Video of Explosion at the Boston Marathon 2013
Subject: Aftermath to explosion at Boston Marathon
Subject: Explosion at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: 2 Explosions at Boston Marathon
[donotclick]46.233.4.113/boston.html
[donotclick]37.229.92.116/boston.html
[donotclick]188.2.164.112/news.html
[donotclick]109.87.205.222/news.html
I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way.
No comments:
Post a Comment