Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 8 April 2009

Malicious April eCard from greet2k.com

It seems we've got another ecard malpaign about to start. A few minutes ago, I received the following;

Hello,

A friend had sent you a
new electronic e-card
from our Free Electronic
e-Card Service.

Your e-Card number is: 091236A51201D3G

This e-Card was created today.

Use the following method to view your e-Card:

==============
Method
==============

To view your new greeting card,
simply click on the following link:

http://www.greet2k.com/ecards/cgi-bin/postbox.php?card=091236A51201D3G
(If your mail program does not support this feature, you will have to COPY and PASTE the address into your browser's location bar.)


Regards
Webmaster


Going to the URL in the e-mail results in an error stating "Sorry the card does not exists.", which likely means this one is still being setup. If we drop to the cgi-bin directory however, we see;



What is strange, is thedeadpit.com, was actually used in attacks a couple months ago, and is suspended so no longer resolves;

http://blog.scansafe.com/journal/2009/1/21/thedeadpitcom-tortures-web-surfers.html

Meaning our ecard author either hasn't done his homework, is a script kiddie that's not clever enough to check things actually work before using them, or is still setting it up (in which case, the domain in use will likely change).

WhoIs Information:

Referred to: whois.PublicDomainRegistry.com
By: whois.internic.net

Domain Name: THEDEADPIT.COM

Registrant:
N/A
Julia Taukova (donorsi@yahoo.com)
mustamae 4-11
Tallin
Harjumaa,14865
EE
Tel. +37.2953412

Creation Date: 03-Dec-2008
Expiration Date: 03-Dec-2009

Domain servers in listed order:
ns2.suspended-domain.com
ns1.suspended-domain.com


Ref:
http://hosts-file.net/?s=thedeadpit.com

Standard rules apply of course - NEVER EVER EVER click URL's or open attachments in e-mails.

No comments: