PaulDotCom mailing list archives

phishing question

From: chris.blazek at gmail.com (Chris Blazek)
Date: Tue, 1 Dec 2009 23:03:52 -0600

PJ,
   Yeah, I had the user change all passwords from the email account to  
fb. I had tried googling for that 1st part of the address, hoping  
someone had posted something about it. That came up empty.
I tried to get malzilla to decode it, but I really have little  
experience decoding JavaScript like that.
I'll try looking for deobfuscaters to see if something else can decode  
it.
Sorry for the typos in the original email. :)

Thanks for the help!

Chris



On Dec 1, 2009, at 8:47 PM, PJ McGarvey <pj_mcgarvey at hotmail.com> wrote:

Well, if you mean what does the obfuscated code do, there are a few  
sites I've used that can "de-obfuscate" code however sometimes all  
that can tell you is that "yeah, it's probably malicious".  I would  
google for "javascript deobfuscate".

You could submit the blogspot site to an online sandbox for  
analysis, like I just did:

http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html

and possibly find other URLs found in the de-obfuscated code to see  
what they do.... like this one
http://1nonsensical.cn/?pid=312s02&sid=4db12f

... I've yet to find a .cn domain name I could trust.  LOL.

Follow down the rabbit hole...

That way you can find out if the PC was infected, and how to clean  
it up.

Otherwise it would seem like some sort of facebook worm that spreads  
using the FB address book.  Was the user logged into Facebook at the  
time?  Might be a good idea to change their password, sounds like it  
either used the active facebook session to send itself out, or maybe  
a cookie with the user's saved credentials.

PJ

From: chris.blazek at gmail.com
Date: Tue, 1 Dec 2009 14:54:36 -0600
To: pauldotcom at mail.pauldotcom.com
Subject: [Pauldotcom] phishing question

A coworker clicked on a link in an email and was directed to  
facebook then redirected to the following site:  
despatiesmercemerce . blogspot . com
All of there fb contacts then received the same email. I pulled up  
the site in malzilla and noticed a script block in the header that  
looks like it's obfuscated.

I was wondering if someone in the group could figure out what the  
site was trying to do.

Thanks,
Chris


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

phishing question Chris Blazek (Dec 01)
- phishing question PJ McGarvey (Dec 01)
  - phishing question Chris Blazek (Dec 01)
    - phishing question David Auclair (Dec 02)
    - phishing question David Shpritz (Dec 02)
    - phishing question David Auclair (Dec 02)
    - phishing question Chris Blazek (Dec 02)
    - phishing question Chris Blazek (Dec 02)
    - phishing question David Auclair (Dec 03)
- phishing question Matt Erasmus (Dec 01)
- phishing question Robert Portvliet (Dec 03)
  - phishing question Chris Blazek (Dec 03)
  - phishing question Matt Erasmus (Dec 03)

(Thread continues...)