INTUIT INC: phish phail



  • Just had phish - usual "your account (has been compromised|needs verifying|is at risk of closure), log in <a href=httphish://compromised swerver/.hidden_dir/phake.htm>here</a>" stuff.

    Except that the link points to {int_link}.

    Thankfully, they sent me a follow-up email an hour later, confirming that my account should be okay but I ought to log in just to check and verify my account details.

     Except that the URL still says {int_link}.

    .. is this a CFM placeholder? ISTR that Smarty templates used a similar placeholder convention, but I can't see a smarty engine being used as a spam relay.

     



  • @Cassidy said:

    Just had phish - usual "your account (has been compromised|needs verifying|is at risk of closure), log in <a href=httphish://compromised swerver/.hidden_dir/phake.htm>here</a>" stuff.

    Except that the link points to {int_link}.

    Thankfully, they sent me a follow-up email an hour later, confirming that my account should be okay but I ought to log in just to check and verify my account details.

     Except that the URL still says {int_link}.

    .. is this a CFM placeholder? ISTR that Smarty templates used a similar placeholder convention, but I can't see a smarty engine being used as a spam relay.

    Most spambotnets distribute templates from the C&C to the individual bots, using a variety of home-grown template formats, see e.g. http://www.google.co.uk/search?q=botnet+spam+template.  Curly-brace subsitutions seem to be a common theme, yours looks a bit like Ozdok/Mega-D, but there are tons of all-vaguely-alike other possibilities.  There's no way to infer just from seeing a single CFM- or Smarty-like template item what's actually being used, but it's probably not anything server-side because that wouldn't make sense in a botnet, you want to distribute the work, not fill the templates out there!




  • @Cassidy said:

    .. is this a CFM placeholder? ISTR that Smarty templates used a similar placeholder convention, but I can't see a smarty engine being used as a spam relay.

    If you're still curious, Smarty uses {$variable}. And I can't see PHP embedded into a botnet either, unless it was written by Paula Bean.



  • @heterodox said:

    And I can't see PHP embedded into a botnet either, unless it was written by Paula Bean.

    I was thinking more the other way around - the botnet exploiting a common PHP app (wordpress/django/gallery/etc) which used that as a template placeholder somehow.

    (most botnet code I see these days are written in perl)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.