Yesterday a reader of ours forwarded two phishing emails. The first email was a paypal phishing email, but the links in it were offline so we concentrated on the second one. This second email looked like it was from linked-in.
The LinkedIn spam mail
We decided to analyze the link in the spam mail.
Attention: Please only open this url if you know what you’re doing. Tipp: “REMOVE” ;)
It seems like someone hacked a wordpress installation and abused it to send out some phishing emails. The script “wp-secure.php” contained some logic which chose the redirection destination: Either microfsoft.com or the exploit kit.
The script checked the “UserAgent”-Header in the HTTP-Request. If you did not send the right or a wrong UserAgent you were redirected to microsoft.com:
Feel free to further analyze this exploit-code. All that we know is that based on the different version numbers, some specific functions will be executed (exploits?). We sent an abuse email to the DynDNS provider “ftpserver.biz”. Maybe this will help somehow ;)
Like always: Never open strange links in emails from unstrusted senders!
Otherwise you’re likely to be owned by some bad guys :( Tip: Disable as much browser extensions as possible and/or keep them up2date. Additionally, there are some useful plugins (e.g. NoScript) available for the most common browsers.