Security Incidents mailing list archives
A new technique to disguise a target URL in spam
From: DCISS <dciss () bigpond net au>
Date: Mon, 05 Apr 2004 10:18:22 +1000
This is a new technique I have found to disguise a target URL in spam e-mail. I received an e-mail claiming that I was infected with the Netsky.b virus. It included a valid link to Mcafee. Hovering the mouse over the link shows that it is for "http://www.mcafee.com";. However I was suspicious because the e-mail came from a completely unexpected user I had never sent e-mail to. Using the view source feature (I use Netscape), I found that the e-mail contained following interesting piece of code:
<FORM action=3dhttp://aicworld=2einfo/anz=2ehtm method=3dget> <A href=3d"http://www=2emcafee=2ecom";><INPUT style=3d"BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=3dsubmit value=3dhttp://www=2emcafee=2ecom> </a> ... </FORM> (note that the dots in the URLs have been escaped for some reason)This code creates an invisible form which appears to be a link to a reputable antivirus company. However clicking on the link instead brings us to aicworld.info/anz.htm. I wasn't going to risk my home computer on an unsafe link, and by the time I tried on a work computer, the site was down, so I don't know what clicking on the link would have downloaded. Has anybody else seen this techique before, or know what was being propagated?
Mark Goldfinch --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership.Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Current thread:
- A new technique to disguise a target URL in spam DCISS (Apr 05)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 05)
- Re: A new technique to disguise a target URL in spam Stef (Apr 05)
- Re: A new technique to disguise a target URL in spam Valdis . Kletnieks (Apr 05)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 06)
- Re: A new technique to disguise a target URL in spam Stef (Apr 05)
- <Possible follow-ups>
- RE: A new technique to disguise a target URL in spam Mason, Seth IFC (Apr 05)
- Re: A new technique to disguise a target URL in spam E.Kellinis (Apr 05)
- RE: A new technique to disguise a target URL in spam Yao, Tongtong (HP NewZealand) (Apr 05)
- Re: A new technique to disguise a target URL in spam http-equiv () excite com (Apr 08)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 05)