InBoxRevenge KS Forum

[wahnula]

Hello,

I put this in this category because the link points to a hacked webserver (I already notified the site):

Dear Customer,

Your order has been successfully canceled. For your reference, here`s a summary of your order:

You just canceled order #2000-71340-691701

Status: CANCELED

_____________________________________________________________________

ORDER DETAILS
Sold by: Amazon.com, LLC

_____________________________________________________________________

Because you only pay for items when we ship them to you, you won`t be charged for any items that you cancel.

Thank you for visiting Amazon.com!

---------------------------------------------------------------------
Amazon.com
Earth`s Biggest Selection
httq://www.amazon.com

The "ORDER DETAILS" link points to:

httq://alliedsafetyeng.c0m/fascinated.html

It is a Glavmed spam, but might also host an exploit. Never seen this one before. Allied Safety Engineering seems to be a legit company, I have notified them through their web contact and hopefully they will sanitize their site.

Just a heads-up, anyone else see this?

[tex.writer]

Reports about large number of fake Amazon order confirmations
http://isc.sans.org/diary.html?storyid=8344

[AlphaCentauri]

What's with this one?
klbusconnection.com/expanse.html

The root domain klbusconnection.com shows a page

Code: Select all

<font face="Arial" size=2>
<p>Microsoft VBScript compilation </font> <font face="Arial" size=2>error '800a0401'</font>
<p>
<font face="Arial" size=2>Expected end of statement</font>
<p>
<font face="Arial" size=2>/common/i_utils.asp</font><font face="Arial" size=2>, line 72</font>
<pre>response.write &quot;                                                                           &lt;!--ME4T3US--&gt; &lt;strong id=&quot;lmenu761&quot;&gt; , &lt;a href=&quot;http://axncrime5793.blogspot.com&quot;&gt; the Religious&lt;/a&gt;, .  Maouni Farez Change moi ma vie, &lt;a href=&quot;http://mpa4609.blogspot.com/2009/08/movie-change-moi-ma-vie-2001.html&quot;&gt;Download Change moi ma vie&lt;/a&gt;, Michel Tancelin Change moi ma vie.  Vijayshanti Bhale Donga, &lt;a href=&quot;http://euroartsentertainment4631.blogspot.com/2009/08/movie-bhale-donga-1989.html&quot;&gt;Download Bhale Donga movie&lt;/a&gt;, Kodanda Rami Reddy A. Bhale Donga. &lt;/strong&gt;&lt;script language=&quot;javascript&quot;&gt; var zf25=[&quot;163&quot;, &quot;174&quot;, &quot;162&quot;, &quot;180&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;179&quot;, &quot;109&quot;, &quot;166&quot;, &quot;164&quot;, &quot;179&quot;, &quot;132&quot;, &quot;171&quot;, &quot;164&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;179&quot;, &quot;129&quot;, &quot;184&quot;, &quot;136&quot;, &quot;163&quot;, &quot;103&quot;, &quot;97&quot;, &quot;171&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;180&quot;, &quot;118&quot;, &quot;117&quot;, &quot;112&quot;, &quot;97&quot;, &quot;104&quot;, &quot;109&quot;, &quot;178&quot;, &quot;179&quot;, &quot;184&quot;, &quot;171&quot;, &quot;164&quot;, &quot;109&quot;, &quot;175&quot;, &quot;174&quot;, &quot;178&quot;, &quot;168&quot;, &quot;179&quot;, &quot;168&quot;, &quot;174&quot;, &quot;173&quot;, &quot;95&quot;, &quot;124&quot;, &quot;95&quot;, &quot;97&quot;, &quot;160&quot;, &quot;161&quot;, &quot;178&quot;, &quot;174&quot;, &quot;171&quot;, &quot;180&quot;, &quot;179&quot;, &quot;164&quot;, &quot;97&quot;, &quot;122&quot;, &quot;163&quot;, &quot;174&quot;, &quot;162&quot;, &quot;180&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;179&quot;, &quot;109&quot;, &quot;166&quot;, &quot;164&quot;, &quot;179&quot;, &quot;132&quot;, &quot;171&quot;, &quot;164&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;179&quot;, &quot;129&quot;, &quot;184&quot;, &quot;136&quot;, &quot;163&quot;, &quot;103&quot;, &quot;97&quot;, &quot;171&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;180&quot;, &quot;118&quot;, &quot;117&quot;, &quot;112&quot;, &quot;97&quot;, &quot;104&quot;, &quot;109&quot;, &quot;178&quot;, &quot;179&quot;, &quot;184&quot;, &quot;171&quot;, &quot;164&quot;, &quot;109&quot;, &quot;182&quot;, &quot;168&quot;, &quot;163&quot;, &quot;179&quot;, &quot;167&quot;, &quot;95&quot;, &quot;124&quot;, &quot;95&quot;, &quot;111&quot;, &quot;122&quot;, &quot;163&quot;, &quot;174&quot;, &quot;162&quot;, &quot;180&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;179&quot;, &quot;109&quot;, &quot;166&quot;, &quot;164&quot;, &quot;179&quot;, &quot;132&quot;, &quot;171&quot;, &quot;164&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;179&quot;, &quot;129&quot;, &quot;184&quot;, &quot;136&quot;, &quot;163&quot;, &quot;103&quot;, &quot;97&quot;, &quot;171&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;180&quot;, &quot;118&quot;, &quot;117&quot;, &quot;112&quot;, &quot;97&quot;, &quot;104&quot;, &quot;109&quot;, &quot;178&quot;, &quot;179&quot;, &quot;184&quot;, &quot;171&quot;, &quot;164&quot;, &quot;109&quot;, &quot;167&quot;, &quot;164&quot;, &quot;168&quot;, &quot;166&quot;, &quot;167&quot;, &quot;179&quot;, &quot;95&quot;, &quot;124&quot;, &quot;95&quot;, &quot;111&quot;, &quot;122&quot;, &quot;163&quot;, &quot;174&quot;, &quot;162&quot;, &quot;180&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;179&quot;, &quot;109&quot;, &quot;166&quot;, &quot;164&quot;, &quot;179&quot;, &quot;132&quot;, &quot;171&quot;, &quot;164&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;179&quot;, &quot;129&quot;, &quot;184&quot;, &quot;136&quot;, &quot;163&quot;, &quot;103&quot;, &quot;97&quot;, &quot;171&quot;, &quot;172&quot;, &quot;164&quot;, &quot;173&quot;, &quot;180&quot;, &quot;118&quot;, &quot;117&quot;, &quot;112&quot;, &quot;97&quot;, &quot;104&quot;, &quot;109&quot;, &quot;178&quot;, &quot;179&quot;, &quot;184&quot;, &quot;171&quot;, &quot;164&quot;, &quot;109&quot;, &quot;174&quot;, &quot;181&quot;, &quot;164&quot;, &quot;177&quot;, &quot;165&quot;, &quot;171&quot;, &quot;174&quot;, &quot;182&quot;, &quot;95&quot;, &quot;124&quot;, &quot;95&quot;, &quot;97&quot;, &quot;167&quot;, &quot;168&quot;, &quot;163&quot;, &quot;163&quot;, &quot;164&quot;, &quot;173&quot;, &quot;97&quot;, &quot;122&quot;];var xctp471=&quot;&quot;;var wec254=&quot;&quot;;for (tgy56=0; tgy56&lt;zf25.length; tgy56++){wec254=zf25[tgy56]-63;xctp471=xctp471+String.fromCharCode(wec254);}eval(xctp471);&lt;/script&gt; &lt;!--ME4T3US--&gt; &lt;div class=ErrFont&gt;&quot; &amp; a_errors(i) &amp; &quot;&lt;/div&gt;&quot;

--------------------------------------------------------------------^</pre>

same with www.-
Malzilla doesn't decode anything and doesn't give an error message.

[spamislame]

What's with this one?
klbusconnection.com/expanse.html

The root domain klbusconnection.com shows a page

All you need to know about that page is that it indicates that the entire server has been compromised. If you remember back in October / November, we kept seeing spam being sent to a few of our members with ftp links including a username and password. Investigating all of those links led to the discovery that every single page had either been completely changed to feature 100% exploit code, or had had iframe exploits added into the existing content.

This is one of those servers.

Other identifiers:

Code: Select all

<!--ME4T3US-->

He's the guy who's been doing this for at least the past six months, but probably much, much longer.

The actual JavaScript in this particular example is (fortunately) innocuous, merely attempting to re-style a menu which is part of the blogger code this moron chose to include here, and which in this particular case doesn't include any content. The fact that we are shown this code as part of an ASP error output indicates it was an SQL injection which is now breaking the site instead of showing the exploit they wanted. (Someone isn't very good at proofing their code.)

SiL

[tex.writer]

Phishing emails from 'Amazon' are well out of order
http://www.guardian.co.uk/money/2010/ma ... -customers

Customers of the online bookseller Amazon are being warned to be wary of a fake "phishing" email asking them to check their accounts.

These emails, addressed "Dear Customer", say: "Your order has been successfully canceled [sic]. For your reference, here's a summary of your order." They then give an order number and a link to "order information", which appears to take users to an external website that does not belong to Amazon. The emails have a link to the genuine Amazon.com website at the bottom, making them appear authentic.

[ahoier]

Kinda concerned....has Amazon been infected? Are these spams "only" targeting amazon customers? Or are they being slinged at everyone? :)

I know cpl months back, I was getting a lot of PayPal and eBay phish....but to an address I did not have registered at either site ;) So basically, typical brute force attempt.

But if these amazon mails are landing in boxes that do not have amazon accounts....then it's a brute force attempt.

[meep]

ahoier wrote:

Kinda concerned....has Amazon been infected? Are these spams "only" targeting amazon customers? Or are they being slinged at everyone?

I think it is botnet spam. I have seen a few samples myself just glancing, which means they spam about everyone they possibly can, so chances are it is not targetted. I would guess ZeuS botnet spam, but that is going out on a limb without doing careful research.

Targeted phishing does happen, but I don't think it is quite as prevalent in volume of spam since some phishing spam is targetting a certain audience due to a database leak or something else where some contact information was stolen.

[AlphaCentauri]

The stuff I'm seeing didn't come from Amazon. They just spoofed Amazon's email address in the "from" so the spam matched my whitelist. I had to redo my filters to add checks for the IP address in the headers, which I've been meaning to do anyway. But there's no reason to think Amazon is infected if the email never passed through Amazon's computers.

[ahoier]

I wasn't necessarily questioning if it was sent "from" amazon...but curiosity more on the idea that if it was "only" targeting e-mail addresses who had amazon accounts of some sort.

If that were the case, it would infer a database breach occured somewhere down the line, and they were spewing the spam from other means (bulletproof mailers, etc.).