CastleCops® [SIRT#174443] Blogspot redirection, VPXL

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

[SIRT#174443] Blogspot redirection, VPXL - fingerprint

All -> FavForums -> SIRT Reports

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

tembow

Blue Angel
Premium Member

Joined: Oct 10, 2005
Posts: 2883

Posted: Fri May 16, 2008 9:24 am Post subject: [SIRT#174443] Blogspot redirection, VPXL - fingerprint

Spam Alert

Full Report: CastleCops Link /Blogspot_redirection_VPXL_spam174443.html

Changed status to confirmed spam.Consumed following related reports:

[174444] http://korezuwy17387.blogspot.com
Consumed following related reports:

[174445] http://nubutawy12783.blogspot.com

Google Blogspot redirection.
Alleged perpetrator = William Lin, see http://www.siteadvisor.com/sites/anherbal.com
QUOTE

Visits to this fake pharmacy site is provided through the widespread abuse of Google Blogspot redirection. This is a sad indictment of Google's inability to tackle problems caused by their open framework for creating new blogspot entries. All you need is a Gmail account, and scammers are offering pre-registered Gmail accounts a million at a time. Direct quote from the bulkerforum.biz where scammers hang out:
-----
TOPIC: gmail accts, googlepages redirects, blogger redirects

William

Joined: 14 Nov 2007
Posts: 15

Posted: Fri Mar 28, 2008 1:55 pm
Post subject: gmail accts, googlepages redirects, blogger redirects

if you buy in volume please PM me, i have 1~10 mil of gmail accts for selling, 100k googlepags redirect + 100k blogger redirects.

my ICQ is 407-678-829
-----
William Lin, email address:williamlin89@gmail.com, skype id thealien2006

END QUOTE
This is a MAJOR incident. Escalate to Corporate Security.

Each of these 3 samples has a java script obfuscated redirector, and each decodes to
window.top.location.href='http://anherbal.com/';

Reference: http://www.spamtrackers.eu/wiki/index.php?title=Blogspot#Obfuscated_Java_Script_redirections

Suspend every site containing the matching redirection fingerprint:
var {TS}="{TS}";var {TS}=0;var {TS},{TS},{TS}="{HEX}";{TS}='';var {TS};for({TS}=0;{TS}<{TS}.length;{TS}+=2)

where {TS} is a variable length text string
and {HEX} is a long hexadecimal string comprised of 0-9 A-F

Remove all matching sites. Run continuously as new sites are registered. Check for changes in pattern and adapt.

To monitor for success, check new spammed sites reported at the Geocities URIBL tracker http://rss.uribl.com/hosters/

Further reference: Use the Removal instructions at CastleCops Link /t221784-SIRT_173979_Blogspot_redirection_with_fingerprint_removal.html

Quote:

http://zodidedy48773.blogspot.com

	All -> FavForums -> SIRT Reports	All times are GMT
Page 1 of 1

You cannot post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 140ppm 0.362s (0.076s) Making cybercriminals unhappy since 2002*