5

I got an mass email from an friend containing only this link (made not clicable on purpose):

http://www.casadelapiedra.com/components/com_content/id876757355.php

I imagine she is got some kind of virus, but since I'm curious and not very careful I clicked on.

The PHP that loaded redirected me to another site.

PHP page:

<h1> You are here because one of your friends <br> have invited you.<br> Page loading, please wait.... </h1> <meta http-equiv="refresh" content="0; url=http://newsmarketgenonline10go.eu/?12/2">

That other site in turn gave a '302 moved temporarily' and redirected me to Google.

Whois doesn't reveal anything about the domain, dig on the MX shows that they use a dynamic DNS. Didn't get any extra info on the A record, besides that is from Latvia: ns1.altnet.lv. admin.altnet.lv

What could them be after? Confirming email addresses?

Cleber Goncalves
  • 403
  • 3
  • 7

1 Answers1

4

The first link uses a redirect webpage that is detected by many antivirus products as:

  • Sophos: Troj/Redir-O
  • Microsoft: Trojan:HTML/BlacoleRef.A
  • Kaspersky: Trojan.HTML.Redirector.an
  • AntiVir: HTML/FriendLoad.A

The text <h1> You are here because one of your friends <br> have invited you.<br> Page loading, please wait.... is the thing that is being detected so it was probably used before in a malware or spam campaign to redirect to different websites.

An analysis of an older but similar redirector is here.

[...] will redirect you to the following website that masquerades as a CNBC website article, For example:

  • marketnewsonline10.com
  • marketnewsonline11.com
  • marketnewsnext7online.com

The site it redirect to, http://newsmarketgenonline10go.eu is detected by Websense ThreatSeeker as a phishing site.

Other similar domains used in the same campaign are also detected as phishing:

  • Phishtank: Phishing site
  • Comodo Site Inspector: Phishing site
  • Websense ThreatSeeker: Phishing site

This looks to me like an abandoned phishing campaign.

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50