[The_Neon_Cowboy]

Be advised! Not even links in emails are safe anymore.

At first I thought it was just another spoof attempt but this one is much more then that....




Right off that bat you can tell it's not from ebay or paypal, but not eeryone look at the email adess and header info






So I saved the link to my HDD right clicked and "save as" as apposed to actually trying to run the code.
It appeared to be taking me to an ebay page least that what most users would assume on mouse over.

"http://24.239.159.**/ws/eBayISAPI.dll&ViewItem&item=5803329805&category=36 234.html"

(**Last digits X'ed out for your safety)

I planned on opening it in a text editor to see the link's html code that was in the email to be it was going go or what it was going to do. (You’d be surprised at what I see sometimes). I messed up because I selected the file and chose edit but ms office tried to load it. I was like NOOO! Any ways when MS word tried to open the page this is the warning that came up…..



NOTE: It passes right through your mail provider’s antivirus!!!

Since it's an external link that runs the malicious code!




"This threat allows a malicious Web site to download and execute programs on your computer.



This threat contains specially-crafted, HTML code that can download and execute programs without prompting you. This threat only affects Microsoft Internet Explorer.

When visiting a Web page or receiving an HTML email that contains this threat, a file can be downloaded and executed. Under normal conditions, Internet Explorer would prompt you before allowing any executable content to be downloaded and executed on the system. This vulnerability in Internet Explorer allows specially crafted HTML to bypass this security prompt.

This detection prevents HTML files containing this vulnerability from being executed.

Microsoft has released patch MS04-013 to address this issue.
http://www.microsoft.com/technet/sec.../ms04-013.mspx"

Everybody you might want to patch!

this comes through even through sp2, and there is no patch for service pack 2 users for this IE flaw

http://securityresponse.symantec.com...r.exploit.html





looks like it's hosted on some cable users machine... I've allready traced the ip...









Eathlink or mindspring who should I report this two or both?


The email come from ....

213.37.59.213

Quote:

This is the RIPE Whois server.
The objects are in RPSL format.

Rights restricted by copyright.
See http://www.ripe.net/ripencc/pub-serv...copyright.html

inetnum: 213.37.0.0 - 213.37.65.255
netname: MADRITEL
descr: PROVIDER
descr: Madritel
country: ES
admin-c: TA718-RIPE
tech-c: TA718-RIPE
status: ASSIGNED PA
mnt-by: AUNA-MNT
mnt-lower: AUNA-MNT
changed: techauna@auna.es 20030505
source: RIPE

route: 213.37.0.0/18
descr: Madritel Comunicaciones
descr: Internet Service Provider
descr: Madrid, Spain
origin: AS12636
mnt-by: AUNA-MNT
changed: techauna@auna.es 20030505
source: RIPE

role: Techauna AUNA
address: Avenida Diagonal, 579
address: Barcelona 08014
address: Spain
phone: +34 93 502 0000
fax-no: +34 93 502 2809
e-mail: techauna@auna.es
admin-c: TA718-RIPE
tech-c: TA718-RIPE
nic-hdl: TA718-RIPE
notify: techauna@auna.es
mnt-by: AUNA-MNT
remarks: --------------------------------------------------
remarks: for net abuse questions please contact:
remarks: abuse@auna.es
remarks: --------------------------------------------------
changed: techauna@auna.es 20031119
source: RIPE

I fired off an email to all parties

Quote:

NOTICE: Be aware the links in email links to a site that runs malicious code:

Appears pay pal spoof email at first glace but the links try to run malicious code!

I’ve started a topic on this in a public forum…
EMAIL WARNING!!!!!!! New and dangerous email going around

I’m emailing this to anyone that might need to see this. If you seeing you were shown in my trace routes of ether the malicious site’s or e-mailers IP.

Malicious sites IP:
24.239.159.3

Malicious e-mailers IP:
213.37.59.213

I'm hopeing this get fowarded to the proper place....

[dorkz]

good bit of work there, iI'll look out for that 1!

ty

[dj_stick]

so much shit in the mail these days

[germanjulian]

saw that in my email account today. but good work on tracing it back and contacting the ISP's! I can never be bothered with that

[germanjulian]

oh as you can see in neo trace! all connections to america go through the UK its good to life in london

[The_Neon_Cowboy]

Quote:

Originally posted by germanjulian
saw that in my email account today. but good work on tracing it back and contacting the ISP's! I can never be bothered with that

only if it's serous or it ticks me off do i bother

Quote:

Thank you for bringing this incident of suspicious activity to our
attention. PayPal will investigate this activity immediately and contact
you further if any additional information is required. We appreciate your
concern and thank you for making PayPal the most trusted online payment
service.

Sincerely,

PayPal, Inc.

[Judas]

excellent work neon!

[mainman]

WOOOW talk about impressive work there bud!!!!

[The_Neon_Cowboy]

Quote:

Originally posted by mainman
WOOOW talk about impressive work there bud!!!!

I've gotta some email peratinging to this just the basic were looking into it