2013年5月23日星期四

另一封钓鱼攻击邮件



这个攻击仍然是用假的email界面来骗密码: http://mcbud.com.ua/wp-admin/gmal.htm


下面是邮件源代码:

Delivered-To: zuola.co[email protected]
Received: by 10.220.93.69 with SMTP id u5csp22318vcm;
        Wed, 22 May 2013 17:03:21 -0700 (PDT)
X-Received: by 10.224.214.134 with SMTP id ha6mr9314238qab.77.1369267401151;
        Wed, 22 May 2013 17:03:21 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mtaz1.mailnet.ptd.net (mtaz1.mailnet.ptd.net. [204.186.29.65])
        by mx.google.com with ESMTP id i6si3435400qcj.76.2013.05.22.17.02.50
        for <multiple recipients>;
        Wed, 22 May 2013 17:03:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 204.186.29.65 as permitted sender) client-ip=204.186.29.65;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates 204.186.29.65 as permitted sender) [email protected]
Received: from mb9.mailnet.ptd.net (mb9.mailnet.ptd.net [204.186.29.19])
 by mtaz1.mailnet.ptd.net (Postfix) with ESMTP id B87DC320DD5;
 Wed, 22 May 2013 20:02:36 -0400 (EDT)
Date: Wed, 22 May 2013 20:02:37 -0400 (EDT)
From: Gmail <[email protected]>
Message-ID: <[email protected]>
Subject: =?ISO-8859-1?Q?1_New_Message_From_Gmail=AE?=
MIME-Version: 1.0
Content-Type: multipart/alternative; 
 boundary="----=_Part_24454961_2070092835.1369267356998"
X-Originating-IP: [41.71.190.34]
X-Mailer: Zimbra 7.2.3_GA_2872 (ZimbraWebClient - FF3.0 (Win)/7.2.3_GA_2872)
To: undisclosed-recipients:;

------=_Part_24454961_2070092835.1369267356998
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

You Have One New Message from Gmail "VIEW MESSAGE" About Gmail Media Career=
s Legal stuff Contact us=20
Site map Our cookies =A9 2013 Gmail Media. All rights reserved=20

------=_Part_24454961_2070092835.1369267356998
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<html><head><style type=3D'text/css'>p { margin: 0; }</style></head><body><=
div style=3D'font-family: times new roman,new york,times,serif; font-size: =
12pt; color: #000000'>You Have One New Message from Gmail&nbsp; <a href=3D"=
http://mcbud.com.ua/wp-admin/gmal.htm">"VIEW MESSAGE"</a> About Gmail&nbsp;=
 Media Careers Legal stuff Contact us <br>


Site map Our cookies =A9 2013 Gmail&nbsp; Media. All rights reserved<br>

</div></body></html>
------=_Part_24454961_2070092835.1369267356998--

2013年5月22日星期三

又一封有针对性的攻击邮件

收到一封邮件,被GOOGLE提示:
上面邮件中的查看和下载两个按钮不可点击,是因为GOOGLE帮用户挡住了,让用户免于上当受骗。查看邮件源代码发现:
--b1_9dcebdebd2073a764d2cdaa514815552
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
To view the message, please use an HTML compatible email viewer!
--b1_9dcebdebd2073a764d2cdaa514815552
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit
<p>
<b>20130604公告.doc</b><br />
12K&nbsp;&nbsp;&nbsp;<a href="http://login.yahoo.com.mailpseonfz.com:8080/mailurl/gmail/[email protected]&userid=54&mid=674">查看</a>&nbsp;&nbsp;&nbsp;<a href="http://login.yahoo.com.mailpseonfz.com:8080/mailurl/gmail/[email protected]om&userid=54&mid=674">下载</a></p>
--b1_9dcebdebd2073a764d2cdaa514815552--
原来攻击就是想骗我去点击 login.yahoo.com.mailpseonfz.com:8080 这个网站上的链接,然后可能在网页中放攻击代码,或是提供一个假冒邮箱登录的界面来骗取用户密码。这种办法简单,但对我这个有经验的人就没有效果。仍然不可掉以轻心,网页中仍然有机会放攻击码,以前有java漏洞,对所有平台的浏览器都有效呢。
我查这个网站的IP,是 59.188.16.179,


是香港IP

通常能做的是向IP所在的管理员发投诉信,要是有DDOS工具,就可以让这个网站下载,避免更多人受害。

邮件原代码上传到 http://file.zuo.la/virusmail/2013MAY/mail.txt 供有兴趣研究攻击来源的人士研究。

我相信这邮件仍然是“国家资助的攻击邮件”,因为标题就用了64的日期。

周曙光的网络日志