Sponsored by..

Showing posts with label Syria. Show all posts
Showing posts with label Syria. Show all posts

Friday, 6 September 2013

CNN "The United States began bombing" spam / luggagepreview.com

This fake CNN spam leads to malware on luggagepreview.com:

Date:      Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: "The United States began bombing"

The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013


(CNN) -- Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus.  Full story >>
Rescuing Hannah Anderson

    Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
    No one has claimed responsibility for her death, but police suspect militants
    Banerjee wrote "A Kabuliwala's Bengali Wife" about her escape from the Taliban

The link in the email is meant to go to [donotclick]senior-tek.com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo.it/disburse/ringmaster.js
[donotclick]stages2saturn.com/scrub/reproof.js
[donotclick]www.rundherum.at/rabbiting/irritate.js

From there the visitor is sent to a malicious payload at  [donotclick]luggagepreview.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains listed below in italics.

Recommended blocklist:
174.140.171.207
luggagepoint.de
luggagewalla.com
londonleatherusa.com
luggagejc.com
londonleatheronline.com
luggagecast.com
luggage-tv.com
luggagepreview.com
dyweb.info
yesrgood.info
dai-li.info
expopro.info
crediamo.it
stages2saturn.com
www.rundherum.at