Based on reader reports (thanks Fred!) it looks like some carefully crafted spam is making its way past filters at the moment. The spams have content like
To all of my friends who didnt have the a moment to watch me on the channel-20 news last Tuesday talking about my blog, and financial accomplishments. Im forwarding you the News Article, so you can read the whole story on how I became financially independent and wealthy. hxxp://r,turn,com/r/formclick/id/Ln5c6GsFyTbGgAsAbQABAA/url/%68%74%74%70%3a%2f\%6a%2e%6d%70/TSQHMO?djyna
Im using hxxp and , instead of . to keep the domains from becoming clickable .. and to hopefully keep your spam/virus filter from panicking belatedly over this ISC diary instead of over the real spam earlier :)
We first expected some sort of Fake AV malware campaign, but it looks like the site only pushes the latest work-at-home-get-rich-quick scam. At least for the moment.Looking at the URL closely, heres whats going down: r,turn,comhas an open redirect. The bad guys use this as a trampoline to bounce whoever clicks on the link to the next stage.
%68%74%74%70%3a%2f\%6a%2e%6d%70 is really only hexadecimally encoded ASCII, and translates to hxxp:/\j,mp, so the next stage is hxxp://j,mp/TSQHMO?djyna.
There, we get a redirect to hxxp://wallyplanet,info/fizo.htm?33722, where we get a file that contains window.location = hxxp://bit,ly/Vn3lWj. Which redirects to hxxp://picklecook,us/fizo2.htm, where we get a file that contains window.location = hxxp://CNBC-20NEWS,NET/momstory294b.htm, where we finally get the sob story and the get-rich-quick scam.
I doubt the spam filters follow this mess all the way, hence the URL reputation score in the spam filters apparently got tricked, and let the email through.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.