iOffer phishing email

January 19, 2009 Leave a Comment

The iOffer web site, a place to sell, buy and trade, is subject to a phishing email. MX Lab received some samples with the subject  ”You’ve received a question about your ioffer item Brand New Nikon D80 Package, 2 Lens,4GB and more..” with senders address ”noreply@ioffer.com” <noreply@ioffer.com> containing the following content:

Dear member,

You have a question from maildirect1 regarding the item Brand New Nikon D80 Package, 2 Lens,4GB and more….!

Click below to see the question and respond:
View the dispute thread to respond hxxp://222.124.199.98/icons/small/login?SignIn&amp;co_partnerId=2&amp;pUserId=&amp;siteid=0&amp;pageType=******

**THIS IS AN AUTOMATED EMAIL – PLEASE DO NOT REPLY**

The use of an IP address in an URL is always suspicious and should alert you for a possible abuse. When visiting the site we found a nicely branded iOffer login page, we didn’t expect anything else, where you are asked your login and password.

Normally, our Firefox warns us when we enter a phishing site but this time we have no warnings. When filling in a login and password (not recommended) I notice that the word Username and Password turns green and next to the form fields the words Required_fail appear. Afterwards you are directed to the genuine iOffer login page.

Filed under Phishing Tagged with ,

The latest spam campaigns on the net

January 19, 2009 Leave a Comment

Spam regarding meds and pills are still taking a serious part of all the spam messages worldwide. The latest spam messages are some fine examples.

Google Groups spam

The following spam message is using Google Groups again to get the visitor attracted.

Hi!

Feel Better Now!!

hxxp://groups.google.com/xxxxx/robertomrlg860/web/mariana

We’re always here for you!
the past is immutable: forget it, sheep dismantler

This is the Google Groups page:

Following the URL to the Google Groups brings us to a site called Pharmacy Express under the domain hxxp://esmnyx.sg/.

CBS News spam

Another example included a “News Summary” in the header. That image is actually hosted on the CBS News site.

What is remarkable with this spam is that when you look in the message source you’ll find up to 5 different URLs in use, below the Help, Advertise, Terms of Service and other links, that redirect all to the same Canadia Pharmacy web site.

Pizza Hut

Another “victim” in the spam campaigns is Pizza Hut. The “Order Now” button and the “Click for more deals” tab are both images hosted on the Pizza Hut site.

The message source even contains an URL from Pizza Hut going to their special landing page: hxxp://getmore.emailpizzahut.com/****. The URLs also lead to the Canadian Pharmacy.

Power Gain spam

Besides viagra and other pills, techniques and products to increase your manhood are also very popular. This example shows you the latest one.

Do notice that with these campaigns the spam messages contain some footers with unsubscribe links, click your email preferences and so on. With these techniques spammers try to make their messages appear as a valid mailing trying to mislead the readers.

Filed under Spam Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers