[nsp-sec] Interesting spike of dodgy URLs via Yahoo! Mail.
Scott A. McIntyre
scott at howyagoin.net
Sun Feb 3 16:44:42 EST 2013
Hi all,
Props to my wife for taking on enough of my aluminium-hat nature and spotting this one -- she's been inundated by a series of Yahoo! Mail originated messages this morning (mostly Yahoo Australia customers, it seems, as well) where the content of the mail is a link to a compromised Wordpress site.
The subject lines are all "Hey!" "Hello" "Hi!!!" and so on.
The URLs she's received so far are:
http:// www.bettydeparis.com /components/com_content/YaID523.php
http:// www.bijouxdemathilde.com /components/com_content/YaID523.php
http:// www.bbmusa.com /components/com_content/yaid3523.php
http:// www.bellamiamakeup.com /components/com_content/yaid3522.php
Followed by a signature along the lines of:
2/2/2013 2:47:55 PM
John Doe
_____
Or
Jane Doe
2/1/2013 11:03:31 PM
_____
Looking at the headers, the mail really is going via Yahoo, and the names in the signature seem to be the real names of the account owners.
The URLs redirect to newsgo6marketgenonline.eu and call Maxmind's GeoIP code...
Just a heads up for those who my track and/or be interested in such things.
Regards,
Scott A. McIntyre
Telstra Security Operations
More information about the nsp-security
mailing list