Lack of careY

It has been a pretty quiet day today, not surprising given that it is a bank holiday weekend in the UK. One of the phishing attacks seen was vaguely amusing. The phish email used the old trick of a HTML-formatted message containing superfluous characters with a white font color. You can see all the inserted ‘y’ characters when switching between the original message and that ignoring font color:

hide3

The attack used a compromised Russian web site to host the phish site. Coincidentally, I noticed that pages served up from elsewhere on this site are detected as Troj/Decdec-A. The Russian site has been compromised – a malicious script has been appended to pages to silently load content from a remote server (via an iframe tag). HTTP requests to that remote server have been blocked by the WS1000 since July 5th.

Aside from demonstrating how compromised sites are frequently used to launch both phishing and web attacks, this case also demonstrates the lack of care taken by the bad guys (did you notice the additional ‘y’ on the first line – Clientey?)