Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
17 septembre 2011 6 17 /09 /septembre /2011 00:23
To those who believe russian web tends to be safer, please first read Kaspersky's threat report Q2 2011.

Then, have a look at the following.
 
Here is the mail I received (14th of September):
mail_gyuntere.ru_170911.jpg
The contact who sent this email is most likely to have a compromised computer.
 
The URL to be spread is:
It is not even hidden (like displaying a different URL between source code and HTML rendered).
 
As you can see, it is a Wordpress powered websit (the "wp-content" part within the URL).
 
But the funny thing is the message being displayed on this webpage:
 
You are here because one of your friends have invited you
to try our free trial.
Hurry up! Limited quantity available!
We try to be helpful for you.
Page loading, please wait....
 
 
Then there is an automatic redirection in the source code. The most simple way:
meta http-equiv="refresh" content="4; url=http://gyuntere.ru"
 
 
Now, what Netcraft says about this website?
netcraft_url_170911.jpg
Hosted in Romania, while the ccTLD is Russia (.ru).

And last, the "real" webpage, which content is likely to be related to "male enhancement"... hum.
 
site_170911.jpg
 
Netcraft's riskrating bar is red, but no warning while accessing the website.
And yes, Nginx is also being used to render "spam related" websites...

============================
Update 1:

More about the "bouncing" server:
It seems that the whole folder 
http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/
has been compromised, since there are a lot of files with kindda random names, and most of them contain a message like:
"You are here because one of your friends have invited you."

bounce_srv_files_170911.jpg

But what I find the most interesting is that almost each of those files seems to contain a different redirection URL!

A few examples:
- http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/1111.htm
- > http:///caretabgalaxy.com/

- http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/domvkf.htm
-> http:///wikimedicare.com/

- http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/dttnba.htm
- > http:///gyuntere.ru/

- http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/mmarfd.htm
- >  http:///ommatorepillstablets.net/ 

And BTW, the same scenario seems to happen to another website:
http:///dev.studiolumierefilms.com/wp-content/plugins/extended-comment-options/        

Thus we have: 
- http:///dev.studiolumierefilms.com/wp-content/plugins/extended-comment-options/crsrtfh.htm  
- >  http:///carepillhealth.com/

- http:///dev.studiolumierefilms.com/wp-content/plugins/extended-comment-options/1111.htm
- > http:///caretabgalaxy.com/

- http:///dev.studiolumierefilms.com/wp-content/plugins/extended-comment-options/aaa.htm
- > http:///counterpunchdietmeds.com/

It looks like a real global spam campaign, taking advantage of compromised websites running Wordpress, to lure antispam/URL filters and spread over the Internet...

Partager cet article

Repost0

commentaires