[nsp-sec] Interesting spike of dodgy URLs via Yahoo! Mail.
Tom Hash
thash at yahoo-inc.com
Sun Feb 3 18:32:45 EST 2013
Thanks Scott. I'll inquire with our abuse and mail team. (I received a similar email)
Tom
On Feb 3, 2013, at 1:46 PM, "Scott A. McIntyre" <scott at howyagoin.net> wrote:
> ----------- nsp-security Confidential --------
>
> Hi all,
>
> Props to my wife for taking on enough of my aluminium-hat nature and spotting this one -- she's been inundated by a series of Yahoo! Mail originated messages this morning (mostly Yahoo Australia customers, it seems, as well) where the content of the mail is a link to a compromised Wordpress site.
>
> The subject lines are all "Hey!" "Hello" "Hi!!!" and so on.
>
> The URLs she's received so far are:
>
> http:// www.bettydeparis.com /components/com_content/YaID523.php
> http:// www.bijouxdemathilde.com /components/com_content/YaID523.php
> http:// www.bbmusa.com /components/com_content/yaid3523.php
> http:// www.bellamiamakeup.com /components/com_content/yaid3522.php
>
> Followed by a signature along the lines of:
>
> 2/2/2013 2:47:55 PM
> John Doe
> _____
>
>
>
> Or
>
>
> Jane Doe
> 2/1/2013 11:03:31 PM
> _____
>
>
>
> Looking at the headers, the mail really is going via Yahoo, and the names in the signature seem to be the real names of the account owners.
>
> The URLs redirect to newsgo6marketgenonline.eu and call Maxmind's GeoIP code...
>
> Just a heads up for those who my track and/or be interested in such things.
>
> Regards,
>
> Scott A. McIntyre
> Telstra Security Operations
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list