1. Home
  2. Categories
  3. Side Bar WTF
  4. INTUIT INC: phish phail

INTUIT INC: phish phail

  • C

    Just had phish - usual "your account (has been compromised|needs verifying|is at risk of closure), log in <a href=httphish://compromised swerver/.hidden_dir/phake.htm>here</a>" stuff.

    Except that the link points to {int_link}.

    Thankfully, they sent me a follow-up email an hour later, confirming that my account should be okay but I ought to log in just to check and verify my account details.

     Except that the URL still says {int_link}.

    .. is this a CFM placeholder? ISTR that Smarty templates used a similar placeholder convention, but I can't see a smarty engine being used as a spam relay.

     

    0
  • D

    @Cassidy said:

    Just had phish - usual "your account (has been compromised|needs verifying|is at risk of closure), log in <a href=httphish://compromised swerver/.hidden_dir/phake.htm>here</a>" stuff.

    Except that the link points to {int_link}.

    Thankfully, they sent me a follow-up email an hour later, confirming that my account should be okay but I ought to log in just to check and verify my account details.

     Except that the URL still says {int_link}.

    .. is this a CFM placeholder? ISTR that Smarty templates used a similar placeholder convention, but I can't see a smarty engine being used as a spam relay.

    Most spambotnets distribute templates from the C&C to the individual bots, using a variety of home-grown template formats, see e.g. http://www.google.co.uk/search?q=botnet+spam+template.  Curly-brace subsitutions seem to be a common theme, yours looks a bit like Ozdok/Mega-D, but there are tons of all-vaguely-alike other possibilities.  There's no way to infer just from seeing a single CFM- or Smarty-like template item what's actually being used, but it's probably not anything server-side because that wouldn't make sense in a botnet, you want to distribute the work, not fill the templates out there!


    0
  • heterodox
    :belt_onion:

    @Cassidy said:

    .. is this a CFM placeholder? ISTR that Smarty templates used a similar placeholder convention, but I can't see a smarty engine being used as a spam relay.

    If you're still curious, Smarty uses {$variable}. And I can't see PHP embedded into a botnet either, unless it was written by Paula Bean.

    0
  • C

    @heterodox said:

    And I can't see PHP embedded into a botnet either, unless it was written by Paula Bean.

    I was thinking more the other way around - the botnet exploiting a common PHP app (wordpress/django/gallery/etc) which used that as a template placeholder somehow.

    (most botnet code I see these days are written in perl)

    0
Log in to reply