The emails are pretty straightforward:
Subject: Your Blogger Account
Dear Blogger account owner,
To update your Blogger account please click the following link:
http://www.blogger.com/update/VE.php?service=blogger&c=111111111111111111&email=youremail@yourdomain.com.
Thank you for using Blogger.
This is a post-only mailing. Replies to this message are not monitored or answered.
The webpages are of course not actually Blogger, but are phishing sites on ".kr" domains, which have been favored lately by the Avalanche/Zeus group.
http://www.blogger.com.esub.co.kr/update/VE.php?service=blogger
http://www.blogger.com.esub.kr/update/VE.php?service=blogger
http://www.blogger.com.esub.ne.kr/update/VE.php?service=blogger
http://www.blogger.com.esug.co.kr/update/VE.php?service=blogger
http://www.blogger.com.esug.kr/update/VE.php?service=blogger
http://www.blogger.com.esug.ne.kr/update/VE.php?service=blogger
http://www.blogger.com.esuk.kr/update/VE.php?service=blogger
http://www.blogger.com.esuk.ne.kr/update/VE.php?service=blogger
http://www.blogger.com.esuk.or.kr/update/VE.php?service=blogger
http://www.blogger.com.esus.co.kr/update/VE.php?service=blogger
http://www.blogger.com.esus.kr/update/VE.php?service=blogger
http://www.blogger.com.esus.ne.kr/update/VE.php?service=blogger
http://www.blogger.com.esut.co.kr/update/VE.php?service=blogger
http://www.blogger.com.esut.kr/update/VE.php?service=blogger
http://www.blogger.com.esut.ne.kr/update/VE.php?service=blogger
Updated: 22FEB2010 @ 9AM Central time
These are the sites we've seen spammed so far this morning . . .
www.blogger.com.dese.ne.kr
www.blogger.com.desr.co.kr
www.blogger.com.desr.kr
www.blogger.com.desr.or.kr
www.blogger.com.desv.co.kr
www.blogger.com.desv.or.kr
www.blogger.com.erdca.ne.kr
www.blogger.com.erdce.kr
www.blogger.com.erdcq.kr
www.blogger.com.erdcu.kr
www.blogger.com.erdcu.ne.kr
www.blogger.com.esuk.kr
www.blogger.com.zoba.co.kr
www.blogger.com.zoba.kr
www.blogger.com.zoba.or.kr
www.blogger.com.zobv.co.kr
www.blogger.com.zohy.kr
www.blogger.com.zohy.or.kr
The phishing site itself looks like this:
We've seen about 350 copies of this phishing campaign so far, but again, its just started up. Look for more URLs to follow.
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.