We received another suspicious email that spreads a phishing URL: The A HREF link redirects to the phishing URL: hxxp:// restore.account.sysadmin-center .com/paypal/restore/webscrcmd=_login-run/webscrcmd=_account-run/confirm-paypal/restore=_paypal-account/updates-paypal/ Email header details: Received: from main.pensativo.nl (main.benefiet.eu [141.138.139.44]) Received: from [202.175.132.8] (helo=administrator) by main.pensativo.nl with esmtpa (Exim 4.77) From: "Paypal Department" Subject: Compromised Account Date: Thu, 23 Feb 2012 15:55:40 +1300 To: undisclosed-recipients:;

New phishing email used to steal Skype login details: The A HREF link: Please click here to verify your identity Redirects users to the malicious URL: hxxp://login.skype.com.kad-s .com/

We have noted recently various messages posted by Facebook users that promote few methods to find out who visits your Facebook profile. At the end of the message there is a link to a Bit.ly shortened URL, as you can see from this image: The shortened URL redirects the users to a malicious URL: HTTP/1.1 [...]

We have received a suspicious email: Received: from unknown (HELO userb) (***@globaltires.es@177.0.120.119) Subject: Cotacao solicitada. MIME-Version: 1.0 Date: Sat, 11 Feb 2012 17:56:37 -0300 Email message is in HTML and the page source looks like: As you can see, from this code: <A href="hxxp://groupnetvect .co.de">relatorio1379-pdf.</A> (63kb)<BR> The A HREF link redirects the user to an [...]

Honeypots have reported another case of malicious iframe code that is generally added after the end of the HTML tag, at the end of the website page, as you can see from the image below: We have also noted another website that redirects users to a fake porn video streaming website with the main objective [...]

We noted few websites infected with the following code (Gumblar-style?): Extracted malicious URL: hxxp://vohfakai .co.cc/1584179.jpg URLVoid report: http://www.urlvoid.com/scan/vohfakai.co.cc Unfortunately (fortunately) the malicious URL is not online, but I am sure it was used to spread malicious javascript code or iframe code, that would have redirected the users to an exploit kit.

Another hidden and malicious iframe is spreading by infecting websites: The iframe code is added before the BODY tag of the HTML page and is obfuscated: The extracted malicious link is: hxxp://alias .jjbworks .com/analytics.php Details about the malicious domain: Website: alias .jjbworks .com Domain Hash: 2f8f518cb5d452fca78b8c11b3a53913 IP Address: 68.68.20.114 [SCAN] IP Hostname: 68.68.20.114.customer.bluemilenetworks.com IP Country: [...]

Internal honeypots have reported a lot of websites infected with a hidden and malicious iframe code that is added at the end of the HTML tag or before the BODY tag of the page, the malicious iframe looks like this: Download the iframe code (pass is novirusthanks.org): iframe.zip / 1 KB Here is a small [...]

Our honeypot has logged an infected website: hxxp://www.preventsweating .com The malicious javascript code is at the end of the page: Download dumped content (pass is novirusthanks.org): exploit.zip / 1 KB We have analyzed the infected website with our sandbox and we can see from the network traffic that the obfuscated javascript code redirects users to [...]

We have detected new phishing emails with subject “Update your PayPal account Information” that contain fake PayPal link that redirects to a phishing page used to steal PayPal account details of users that type their credentials. Email header: Subject: Update your PayPal account Information Date: Mon, 16 Jan 2012 00:43:26 +0100 Received: from WIN-QJ6LOAE77N1 (unknown [...]