Mr Bartlett Blogs
  • Ramblings...
  • OLD_CEFKorg
    • New CEFKorg Page!
    • About Computer Equipment For Kids
    • Alliance of Awesomeness
    • How do I help?
    • The Places We've Been
    • Tutorials
    • Learning Sites
    • Conferences

SPAM: http://sebastienlarousse.teria.org/offer/newOffer.php?ekjprofiles=10

12/27/2011

0 Comments

 
A friend of a friends email account got 'hacked' over the holiday and they sent me the spam the account was now sending out.  It looks like this:
______________________________________________________________________________
From: <REMOVED>
To: <REMOVED>
Cc: 
Date: Tue, 27 Dec 2011 09:16:59 -0500
Subject: 1144444.927
hi, nice day
hXXp://sebastienlarousse.teria.org/offer/newOffer.php?ekjprofiles=10
_______________________________________________________________________________
When I visit the link in my lab I am redirected to:
hXXp://jonsavzimi.com/?cid=are

Which looks like an on-line Pharmacy, where you can buy all the goodies; viagra,  cialis...





Picture
Did some researching on the site: http://www.ip-adress.com/whois/jonsavzimi.com
It's using 2 names servers:
ns2.medicalpillshiv.com - which appears in multiple on-line malware analyzer reports.
ns1.uvqip.ru - which also appears in multiple on-line malware reports.

My advice when something like this happens to your account:

1.  CHANGE your account password!!  Then at least someone can't send emails directly from your account.  (There are other ways to use your email address without having access to your account in some SPAM campaigns but that's another blog all together) Also look into enabling the 2-step verification
2.  Take your machine off line and run an up-to-date ROOT KIT scanner against it.  This will give you a good indication on whether your machine has some nasties installed on it.  (The 'bad guys' might have brute forced the password on your 'on-line' account, but worse you could have a keylogger installed on your machine which has grabbed your password for the account and forwarded it out..) Here are some links for root kit scanners: http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx , http://support.kaspersky.com/faq/?qid=208283363

Remember to change your on-line account passwords often and use STRONG passwords (here is a good video on creating passwords: http://youtu.be/Ah3gCnTi8b8)

Check your SENT FOLDER periodically to double check emails are NOT being sent from your account which you have NOT sent yourself.

And as always, KEEP YOUR MACHINE UP-TO-DATE with PATCHES (Operating System and Applications!)

PS. I'll be updating this blog once I analyze the network capture associated with this traffic.

mark
0 Comments



Leave a Reply.

    Author

    Security Researcher with about 20 years in the Computer Security Field. Going to talk even if no one is listening..

    email: mrbartlett <at> mrbartlett.com

    View my profile on LinkedIn
    Picture

    Archives

    January 2022
    June 2021
    February 2020
    June 2019
    October 2018
    September 2018
    August 2018
    March 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    December 2015
    August 2013
    January 2013
    September 2012
    June 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011

    Categories

    All
    Activation
    Agile
    Backup
    Centos Vmware Interfaces Error
    Collaboration
    Communication
    Computer Security Scans Passwords
    Conferences
    Drones
    Emergency Response
    Exploit Kits
    Exploits
    Life
    Links
    Malware Security Dnschanger
    Organization
    Passwords
    Patches
    Phish Security Email
    Project Management
    Rfun
    Scrum
    Security
    Security Blackhole Exploit Kit Browser Phish
    Security New
    Software Development
    Team
    Windows
    Work

    RSS Feed

Powered by Create your own unique website with customizable templates.