INTUIT INC: phish phail
-
Just had phish - usual "your account (has been compromised|needs verifying|is at risk of closure), log in <a href=httphish://compromised swerver/.hidden_dir/phake.htm>here</a>" stuff.
Except that the link points to {int_link}.
Thankfully, they sent me a follow-up email an hour later, confirming that my account should be okay but I ought to log in just to check and verify my account details.
Except that the URL still says {int_link}.
.. is this a CFM placeholder? ISTR that Smarty templates used a similar placeholder convention, but I can't see a smarty engine being used as a spam relay.
-
@Cassidy said:
Most spambotnets distribute templates from the C&C to the individual bots, using a variety of home-grown template formats, see e.g. http://www.google.co.uk/search?q=botnet+spam+template. Curly-brace subsitutions seem to be a common theme, yours looks a bit like Ozdok/Mega-D, but there are tons of all-vaguely-alike other possibilities. There's no way to infer just from seeing a single CFM- or Smarty-like template item what's actually being used, but it's probably not anything server-side because that wouldn't make sense in a botnet, you want to distribute the work, not fill the templates out there!Just had phish - usual "your account (has been compromised|needs verifying|is at risk of closure), log in <a href=httphish://compromised swerver/.hidden_dir/phake.htm>here</a>" stuff.
Except that the link points to {int_link}.
Thankfully, they sent me a follow-up email an hour later, confirming that my account should be okay but I ought to log in just to check and verify my account details.
Except that the URL still says {int_link}.
.. is this a CFM placeholder? ISTR that Smarty templates used a similar placeholder convention, but I can't see a smarty engine being used as a spam relay.
-
@Cassidy said:
.. is this a CFM placeholder? ISTR that Smarty templates used a similar placeholder convention, but I can't see a smarty engine being used as a spam relay.
If you're still curious, Smarty uses {$variable}. And I can't see PHP embedded into a botnet either, unless it was written by Paula Bean.
-
@heterodox said:
And I can't see PHP embedded into a botnet either, unless it was written by Paula Bean.
I was thinking more the other way around - the botnet exploiting a common PHP app (wordpress/django/gallery/etc) which used that as a template placeholder somehow.
(most botnet code I see these days are written in perl)