欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

诈骗网站利用LinkedIn和Baidu进行隐蔽跳转的分析

来源:本站整理 作者:佚名 时间:2016-12-23 TAG: 我要投稿


可疑链接
最近,我们监测到了一条在Skype上传播的URL链接,该URL以LinkedIn网站前缀为主体,并以Skype ID为参数结尾。
hxxps://www.linkedin.com/slink?code=e2nsPHa#jpulusiv=victimskypeid

通常,大多数人对可疑链接会显得非常谨慎,但是,这条以LinkedIn网站开头,并以Skype ID结尾的URL链接非常具有迷惑性,让受害者根本不会引起怀疑,甚至有些接收者还会非常好奇,忙着去点击它!结果是什么呢?!事实是,一旦点击了这条链接,它将会重定向到另一条以baidu网站开头的链接:
hxxp://www.baidu.com/link? url=6kdJhiuGhlv0r4EfUsqBKW9t86Werul6GdqAieiiPyC
之后,通过这条链接,会重定向到以下诈骗网站:
hxxp://easyfatloss-a.net/
hxxp://vpworldfor.com/
hxxp://hotvqqqhops.com/
最终,利用受害者Skype账户向其它通讯录联系人发送诈骗链接以后,就实现了大范围传播。
跳转分析
重定向路径:

对其中涉及的两个跳转域名izatex(.)ru、adnanbostan(.)ru分析:
curl -v izatex(.)ru
* Rebuilt URL to: izatex(.)ru/
* Hostname was NOT found in DNS cache
* Trying 104.28.16.170…
* Connected to izatex(.)ru (104.28.16.170) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: izatex(.)ru
> Accept: */*
>
Date: Thu, 17 Nov 2016 21:54:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d43aa46bb692c53416b4774b22908a0c21479419698; expires=Fri, 17-Nov-17 21:54:58 GMT; path=/; domain=.izatex(.)ru; HttpOnly
Location: hxxp://intellectvvv.com/?a=370961&c=brain&s=pahas&27352
* Server cloudflare-nginx is not blacklisted
Server: cloudflare-nginx
CF-RAY: 30366c9de40129cb-SEA
Connection #0 to host izatex(.)ru left intact
ping intellectvvv(.)com
PING intellectvvv(.)com (5.149.248.236) 56(84) bytes of data.
64 bytes from marriageagency.in(.)ua (5.149.248.236): icmp_seq=1 ttl=54 time=133 ms
curl -v hxxp://adnanbostan.ru
* About to connect() to adnanbostan(.)ru port 80 (#0)
* Trying 178.208.80.103…
* Connected to adnanbostan(.)ru (178.208.80.103) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: adnanbostan(.)ru
> Accept: */*
>
Server: nginx
Date: Thu, 17 Nov 2016 17:57:15 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1
Connection: keep-alive
Keep-Alive: timeout=60
Location: hxxp://intellectzzz.com/?a=373727&c=brain&s=beget&9008
Connection #0 to host adnanbostan(.)ru left intact
经分析发现,共有30多个域名和IP涉及该诈骗链接:
178.208.78.89
185.112.157.139
192.99.182.95
46.166.128.136
5.149.248.236
adnanbostan(.)ru
cobdurierni(.)com
configinfofat(.)com
diet-newest(.)info
fatlossway(.)net
fatLossway-b(.)net
fatlossway-c(.)net
fatlossway-d(.)net
goodfastint(.)com
hitdrretrast(.)com
easyfatloss-a(.)net
hotvqqqhops(.)com
vpworldfor(.)com
intellectvvv(.)com
intellectzzz(.)com
izatex(.)ru
mindforbig(.)com
mindvipshop(.)com
safepaymentpage(.)net
u2019(.)ru
v-hd(.)ru
weightuulossu(.)com
witsswits(.)com
witxxsmind(.)com
womensenews(.)ru
worldformind(.)com
以下是4个诈骗网站最近一段时期的点击访问流量,比较可疑:




另一个例子
hxxp://www.baidu.com/link?url=b12cAcwR1I5ZEysu76naKRsJOAXSv8vd1XmHX6HmqYe#98866=victimskypeid

该链接同样以baidu.com为前缀,以Skype用户ID结尾,点击之后,将会跳转到以下诈骗或钓鱼网站链接:

[1] [2]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载