Tag Archives: spam

Local PayPal Phishing – and why we need a CERT

This just came in the mail: (twice – at two different mailboxes – I must be a high value target for these guys)

A classic phishing email, with the only exception that it seems highly targeted at the Israeli market! (yeah – I know, I sound a little excited, but this is the first one I ever got…). Obviously, I am not the new owner of a BROWN denim jeans (eeewww!), so as I am very interested in who may want my PayPal details, a bit of digging brought this up:

 

  1. The phishing site (the one led to by the obvious “CANCEL TRANSACTION” link) is hosted on al3abnt.com.
  2. al3abnt.com is obviously not related to PayPal, and in a very unusual turn of events it is actually registered to a person, or at least something that may lead closer to a person than most phishing sites (that use whois anonymizing).
  3. The Whois registration (see below) also leads to a website on anasblog.me. This seems a personal blog from a local village called Salfit in Israel (I knew it reminded me of something… been around there a couple of times :-)).
  4.  

  5. The blog (see screenshot below) seems pretty anti-Israeli (note the “we are with the third intifada” button on the top-left corner) – thus explaining the interest in local Israeli PayPal accounts.
  6. Obviously – there’s no-one to send the notification to… no CERT would handle this, and the police is almost comical in the way they reacted to calls of this nature…

I’m guessing that a CERT would have done the following:

  1. Publish a warning notification on the offending site, and the email template.
  2. Coordinate with ISP the takedown of the offending site and law-enforcement work to apprehend the scammer (A phone number is listed on the whois information – feel free to try it out 🙂 ).

Be safe out there!

Twitter spam – Spitter? Tpam?

Unless you’ve been living under a rock in the past couple of years, you have been exposed to Twitter in some shape or form. Having adopted the means of socializing myself not too long ago (been researching it’s security since day-0, jumped on the bandwagon a few months ago), you have to live with the bad aspects of social networks again.

When you finally think that a social network platform would get immune from the perils of spam and malicious content, it’s funny to see how spammers – especially on the adult content side have been using Twitter to peddle their stuff… Instead of Tweeting it again (http://twitter.com/iiamit/status/2404011102), I decided to pay respects with a full blog post.

spitter

So here are my 2 new followers (the one mentioned on my older tweet has fled – probably didn’t get what they signed up for 😉 ), I’ll be sure to keep checking out these trends and make sure that nothing beyond the traditional and mostly harmless content (unless you consider NSFW dangerous – no malweb so far there).

See you all in Vegas (https://www.defcon.org/html/defcon-17/dc-17-speakers.html#Amit)!

Update: OK, this can go out in the open now (had to make sure that this went public already…) pushing malweb through Twitter has been going on for a while, a funny example below shows the usage of the same malicious URL being pushed by “foot soldiers” across multiple trending topics as they change over time:

maltweet1

And the Tweet of the day for me is an attempt to “whore” the trending topics in order to promote an adult site:

trendwhoring

Obviously all the keywords at the time this was published were on the trending top list…