RE: A new technique to disguise a target URL in spam
From: Mason, Seth IFC (Seth.Mason_at_UTCFuelCells.com)
Date: 04/05/04
- Previous message: Lawrence Baldwin: "Agobot variant - with multi-vulnerability scanner"
- Maybe in reply to: DCISS: "A new technique to disguise a target URL in spam"
- Next in thread: E.Kellinis: "Re: A new technique to disguise a target URL in spam"
- Reply: E.Kellinis: "Re: A new technique to disguise a target URL in spam"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com> Date: Mon, 5 Apr 2004 11:03:37 -0400
I have seen the same technique used in other emails, e.g. Spoofed Ebay
account messages that take you to a fake ebay site. It is quite common and
will fool a lot of people.
Seth Mason
-----Original Message-----
From: DCISS [mailto:dciss@bigpond.net.au]
Sent: Sunday, April 04, 2004 8:18 PM
To: Incidents@Security focus
Subject: A new technique to disguise a target URL in spam
This is a new technique I have found to disguise a target URL in spam
e-mail. I received an e-mail claiming that I was infected with the
Netsky.b virus. It included a valid link to Mcafee. Hovering the mouse
over the link shows that it is for "http://www.mcafee.com". However I
was suspicious because the e-mail came from a completely unexpected user
I had never sent e-mail to. Using the view source feature (I use
Netscape), I found that the e-mail contained following interesting piece
of code:
<FORM action=3dhttp://aicworld=2einfo/anz=2ehtm method=3dget>
<A href=3d"http://www=2emcafee=2ecom">
<INPUT style=3d"BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt;
BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt;
BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=3dsubmit value=3dhttp://www=2emcafee=2ecom>
</a>
....
</FORM>
(note that the dots in the URLs have been escaped for some reason)
This code creates an invisible form which appears to be a link to a
reputable antivirus company. However clicking on the link instead
brings us to aicworld.info/anz.htm. I wasn't going to risk my home
computer on an unsafe link, and by the time I tried on a work computer,
the site was down, so I don't know what clicking on the link would have
downloaded. Has anybody else seen this techique before, or know what
was being propagated?
Mark Goldfinch
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
- Previous message: Lawrence Baldwin: "Agobot variant - with multi-vulnerability scanner"
- Maybe in reply to: DCISS: "A new technique to disguise a target URL in spam"
- Next in thread: E.Kellinis: "Re: A new technique to disguise a target URL in spam"
- Reply: E.Kellinis: "Re: A new technique to disguise a target URL in spam"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
